It's time to review some of the free malware people sent me in DMs.
tl;dr tl;dr
- 1 no malwares
- 1 dead malwares
- 2 meh malwares
- 3 good malwares
tl;dr
- not malware, kid wanting ppl to review his minecraft mod
- dead malware :(
- SalatStealer, accidentally shot myself
- MacOS malware, MacSync or something, idfk
- weird malware never seen before, cool but vibe coded
- new FAUX#ELEVATE malware campaign (good malware)
- GachiLoader, KidKaki loader, Rhad campaign (very good malware)
non-tl;dr
- Person sends me spoopy files they got on Discord. It was not malware. It was someone wanting legitimate feedback on their Minecraft mod stuff (surprising)
- Person links me to ClickFix website, the compromised website still has ClickFix active (social engineering to deliver malware). However, the website C2 (where the malware comes from) is dead. No free malware.
- Person sends me spoopy .exe they found. I download it, try to rename it, accidentally detonate it on my personal computer. It was SalatStealer. I had to disconnect my internet stuff, remove the files and persistence stuff it setup, and change my passwords. Very cool
- Person sends me weird GitHub link. It was multi-staged and obfuscated gunk. It ultimately delivered malware designed for MacOS. I don't do MacOS malware. MacOS malware nerds suspect it is an on-going MacSync malware campaign (or possibly Odyssey). I don't deal with MacOS malware so I don't know what this means.
- Person sends me weird goop they randomly got on Discord. It was multi-staged Electron JS malware. The main binary creates a Java Virtual Machine (for running Java code), while a secondary binary runs through four layers of obfuscation (file creating an obfuscated file, which contains an obfuscated file, which contains an obfuscated file) which ultimately delivers an AES128 encrypted payload. The final payload then performs interprocess communication with Java Virtual Machine the main process created. I have no idea what this malware is. It is partially vibe coded using Claude.
- Person sends me weird .exe. It turns out it's a Epic Games account creation spam tool. The spam tool was used for a Discord Nitro aggregation campaign. It would create Epic accounts in bulk to receive Discord Nitro for free (temporary promotion between Epic and Discord) which they then sold online for $5. A spammer DMd me and was frustrated I reverse engineered it and shared the decompiled code.
- Person DMs me. They got a weird e-mail that contained a heavily obfuscated .vbs file. However, the .vbs file was corrupted. I complained about it on social media and someone decided to debug and fix the malware payload for me. The .vbs ended up pulling a password protected .zip from DropBox. The password protected .zip file contained several different files such as a credential stealer and a Monero miner. It turns out this is a new and evolving malware campaign from FAUX#ELEVATE. Initially they targeted French people, however it appears they have changed targets.
- Person links me to No Man Sky's save editor website. This is a fake website which gives you a fake save editor. It is a .zip password protected with the string "goatfungus". The files inside of this .zip were a gigantic pain in the ass to reverse engineer due to it's anti-reverse engineer measures in place, anti-virtual machine components, and multi-staged payloads. It ended up being GachiLoader and KidKadi Loader. These malware campaigns coincide with a larger Rhadamanthys malware campaign.
Thrilled to announce my SQLi vulnerability discovery in HTML5 video Player Plugin for WordPress has been accepted by @_WPScan_ and assigned CVE-2024-5522 with critical CVSS score of 10.
For further details, please refer to the WPScan Security Advisory: https://t.co/OCPl8Sw9PH