I tried content-types, user-agent, but no luck. I'm not sure what the user-agent of `req` is, but the default `node-fetch/1.0` does make the response json. They are a 307, but the result is a png.
I presume the original payload may have contained information that the hackers want to keep from prying eyes. Esp. now that it landed on HN, it makes sense to take it offline and replace with an actual png to avoid people finding information in it that may harm their future hacks or so?
So fed it to qwen. It seems to think it just a downloader and persistence mechanism for another payload. I will try to download it too and see what qwen thinks of that.
That script then proceeds to download three python scripts that use the aforementioned python environment and do their business, qwen is having trouble de-obfuscating their urls and I am busy.
I'm actually curios to know how do you people visit the link securely? I guess a VM but could in theory something be resilient enough to misuse the Shared Clipboard or something to access your host machine?
Also what is your go to OS?
Hm, when I think of it an old Raspberry Pi could be my go to for this, but always physically.
tldr: Qubes OS, disposable vms, don't run the malware, physical isolation sounds better but is its own can of worms.
> I'm actually curios to know how do you people visit the link securely?
Disposable vm with a connection to tor. Then copied to a disposable vm with access only to one port on my llm server the one running llama.cpp.
> I guess a VM but could in theory something be resilient enough to misuse the Shared Clipboard or something to access your host machine?
When I am doing this kind of thing i have some rules.
Rule #1 Do not run the malware.
Rule #2 No copying from the analysis vm.
Given the malware is not run it's highly unlikely that any Xen vulnerabilities can be exploited or llama.cpp vulnerabilities for that matter.
Ideally I would not be using my own llm server but proxying the requests through another vm that contains temporary credentials to a llm provider. But I did not have the time to set that up.
> Also what is your go to OS?
Qubes OS
> Hm, when I think of it an old Raspberry Pi could be my go to for this, but always physically.
Physical isolation has it's own issues. If you don't airgap the device it could exploit other devices in your network, old residential routers are not exactly bulletproof especially from the lan side. Additionally, physical devices could be vulnerable to bios and UEFI firmware persistence mechanisms.
Update: found a clone of the repo on github and got the payload, all you have to do is add a header `bearrtoken: logo`
It's obfuscated, I will feed it to qwen to see what can be gleaned.