To give a bit of context, I am a Discord admin on a small server about development, and we recently got a report from one of our users that someone was trying to get him to download an EXE file. The first thing I did was ask the reporter if he opened the file, to which he answered he did. He told me the program opened a console prompt for a few seconds and then exited. Most of the time, this isn’t good when you have downloaded a file from an untrusted source… So I grabbed my computer and downloaded the file (I downloaded it in a Linux VM, so if it gets infected in some ways, I can delete the VM). Time to investigate. Determining the kind of binary My first idea was to look up what was in this executable. To do so, I used the command like this : strings > strings file.exe The command finds the printable strings in a binary file. It is helpful to see any strings like URLs or addresses embedded in a file. strings This returned gibberish for most of the result, but at some point, I saw . We can now say it is a NodeJS bundled executable! NodeRuntime In that kind of executables, the sources are always present at the end of the output. Let’s take a look at those sources : strings function a0_0x47b121(_0x44bb58,_0x4e9d60,_0x355d77,_0x4e9d34,_0x1a193e){return a0_0x1b80(_0x1a193e- -0x1e4,_0x44bb58); The code looks obfuscated and minified on a very long line… I applied the following method to understand the logic behind the obfuscated code. First approach: Discord I knew that this binary was distributed through Discord DMs, so I looked if the code contained the word discord with grep. Bingo! Several functions contain the word : , , and . This last function looked promising. discord listDiscords startDiscord killDiscord pwnBetterDiscord I looked up on Google and Github for and found the source of the tool: . pwnBetterDiscord https://github.com/Stanley-GF/PirateStealer PirateStealer We have found the source code that was used in the bundled app. Let’s give it a look. It steals all the information that it can find from the Discord client by first killing the discord client and patching it with a Javascript payload to exfiltrate private information like Discord credentials and credit cards info via a Discord webhook (an URL where you can POST to send a message to your Discord server). The author claims that this tool is only for educational purposes, but he also sells premium features and support? That doesn’t seem like a righteous “educational purposes” claim… Finding the webhook URL from the obfuscated code The code is filled with many proxy functions that try to obfuscate the access to the main string-obfuscation function. Thanks to the code not being fully obfuscated, we can find . Let’s play a game and extract all the methods needed to decipher this code. webhook=a0_0x78da73(0x331,0x342,0x32c,0x2f1,0x324) For the sake of brevity, I will rename all the obfuscated functions to , … and their params , … fn1 fn2 p1 p2 (let’s call it ) takes 5 arguments but it only cares about the first and the last one : a0_0x78da73 fn1 **function** fn1(p1,p2,p3,p4,p5){return fn2(p5 - 0x26a,p1);} is more complicated, with initialization vectors and complex rotations, but we can bypass the complexity by calling this function directly. Let’s do that! fn2 I created a new file called that copies the needed code to run fn2 and and… we have it! The output is (output censored for privacy reasons). find_webhook.js console.log(fn2(0x324 — 0x26a, 0x331)), https://ptb.discord.com/api/webhooks/abcdefg/hijklmn Finding the user of the script I then used the webhook to send them messages telling them that I knew what they were doing and telling them to DM me with my discord ID, hoping they would answer me. And they did! From that, no more to say, the discussion was not very productive, but at least I could tell other servers we had in common that the bad guy was also on their server. I hope this post will encourage people to be more considerate when downloading executables from untrusted sources and will help some others to see how we can reverse NodeJS malwares, which are more and more used nowadays. If you have any suggestions or comments, do not hesitate to post them in the comment section, and I will try to answer them. Also, don’t forget to follow as I will continue to publish more advanced topics on this hack and Electron. Also Published Here

Google

Reversing a NodeJS Malware and Finding its Author

About Author

Comments

TOPICS

THIS ARTICLE WAS FEATURED IN

Related Stories

Untitled Story

Analyzing the Source Code of Popular Desktop Apps for NodeJS Malware. Part2

The Noonification: Reduce Javascript: Master the Basics (1/11/2023)

The Noonification: Satoshi Might Be a Bitcoin ETF Skeptic (1/13/2024)

The Noonification: Small Puddle of Freedom (11/25/2022)

The Noonification: How to Use AI for Your B2B Marketing (11/11/2022)

Analyzing the Source Code of Popular Desktop Apps for NodeJS Malware. Part2

The Noonification: Reduce Javascript: Master the Basics (1/11/2023)

The Noonification: Satoshi Might Be a Bitcoin ETF Skeptic (1/13/2024)

The Noonification: Small Puddle of Freedom (11/25/2022)

The Noonification: How to Use AI for Your B2B Marketing (11/11/2022)

Light-Mode

Classic

Newspaper

Dark-Mode

Neon Noir

Minty

HN StartUps