🫦 Password Stealer 🫦 Wallet Stealer (44+ Crypto Extensions) 🫦 File Scanner (Uploads docs, keys, code) 🫦 Clipboard Monitor (Captures copied sensitive data e.g. seeds) 🫦 .env Stealer (API keys, env vars from projects) 🫦 Socket Backdoor (remote commands) ⚠️ What to Do If Infected ⚠️ Isolate: Disconnect from network. 🔎 Scan: Use AV (e.g., Malwarebytes, ESET) in safe mode. ❗️ Kill Processes: End Node.js tasks, delete lock files in temp. ↔️ Remove Artifacts: Uninstall rogue npm modules, delete temp dirs. 📞 Remediate: Change all passwords, monitor accounts, restore from clean backups. 👍 Prevent: Use browser password managers with MFA, avoid running untrusted JS, enable UAC/SELinux. ℹ️ Info about the malware ➡️malwareScript1 code - ldbScript.js ➡️malwareScript2 code - autoUploadScript.js ➡️malwareScript3 code - socketScript.js 🔥 Malware Analysis : This is a sophisticated Node.js-based infostealer and backdoor malware, likely a custom or variant of common stealers like RedLine, Stealerium, or Lumma (based on patterns: browser data exfiltration, wallet targeting, file scanning, socket C2). ❗️It operates cross-platform (Windows, Linux including WSL, macOS) with heavy focus on: ▶️Stealing browser credentials and crypto wallet data. ▶️Scanning and exfiltrating sensitive files system-wide. ▶️Monitoring clipboard for data (e.g., copied passwords or crypto seeds). ▶️Establishing a persistent backdoor for remote command execution. All data is uploaded to a C2 server at IP 144.172.105.122 (ports 8085-8087), which appears malicious based on similar IPs in malware reports (e.g., port scanning activity from nearby ranges like 144.172.103.x). No exact public attribution, but this IP range has been flagged in threat intel for abuse. How It Works ?? : The main script sets up error handling, installs dependencies (axios, socket.io-client, sql.js, form-data), gathers system info, and spawns three detached child processes for persistence (using lock files in %TEMP% or /tmp to avoid duplicates). Each runs in a loop or persistently. 👑 System Recon & Logging : ▶️Collects: Hostname, OS version, username ▶️Sends logs to http://144.172.105.122:8087/api/log via POST (with ukey=104, t=1 as identifiers). Example payload: {ukey:104, t:1, host:"104_hostname", os:"Windows_NT 10.0", username:"user", message:"Starting client"}. ✅ Technical Details & Evasion ▶️Persistence: Detached processes with lock files (pid.t.1.lock etc.) in temp dir. Unrefs children so parent can exit. ▶️Encryption Handling: Decrypts browser data using master keys from Local State (AES-GCM, DPAPI variants). ▶️Cross-Platform: Extensive WSL detection (checks /proc/version, env vars) to access Windows files from Linux. ▶️Error Resilience: Ignores uncaught exceptions/rejections, retries uploads, skips locked files (EBUSY/EACCES). ▶️Dependencies: Auto-installs via npm install --no-save if missing (quiet mode). Uploads: Uses FormData for files, JSON for logs. Includes metadata (browser ID, profile, extension ID). ⚡️ Spawned Processes ▶️Process 1: LDB Script (Password & Wallet Stealer) 🔴Targets Chromium-based browsers (Chrome, Brave, Edge, Opera, etc.). 🔴Handles WSL by mapping Windows paths via /mnt/c/Users. 🔴Extracts/decrypts passwords from Login Data databases using SQL.js and OS-specific crypto (DPAPI on Windows, Keychain on macOS, secret-tool on Linux). 🔴Steals LevelDB files from specific extensions (crypto wallets: MetaMask nkbihfbeogaeaoehlefnkodbefgpgknn, Phantom bfnaelmomeimhlpmgjnjophhpkkoljpa, etc. - full list of 44 IDs in code). 🔴For Brave, specifically targets wallet data in Local Storage/leveldb. 🔴Uploads to http://144.172.105.122:8085/upload as multipart form data. 🔴Runs in a loop (up to 10 iterations, 30s sleep), every 3rd run extracts passwords to s.txt and uploads. 🔴Also uploads system info to sysinfo.txt and macOS keychain if present. ▶️Process 2: Auto Upload Script (File Scanner & Exfiltrator) 🔴Scans entire filesystem starting from home dir (or all drives on Windows using PowerShell/Get-CimInstance). 🔴Prioritizes: Desktop, Documents, Downloads, OneDrive, Google Drive. 🔴Targets "sensitive" files based on extensions (e.g., .txt, .pdf, .docx, .csv, .json, .sql, .key, .pem, .wallet - full list inferred from exclusions: skips media, binaries, etc.). 🔴Excludes common dev dirs (node_modules, .git, venv) and large files (>5MB). 🔴Uploads to http://144.172.105.122:8086/upload (likely typo in code as autoUploadServer). 🔴Adaptive delays to avoid detection (20-120ms between uploads). 🔴Handles errors gracefully to ensure completion (e.g., retries on EMFILE/too many open files). ▶️Process 3: Socket Script (Backdoor & Additional Stealers) 🔴Connects to WebSocket at ws://144.172.105.122:8087 using socket.io. 🔴Sends host info to /api/notify and logs to /api/log. 🔴Monitors clipboard every 1s (using PowerShell on Windows/WSL, pbpaste on macOS, xclip/xsel on Linux) and logs changes. 🔴Searches for .env* files system-wide (using PowerShell on Windows, find on Unix) and uploads contents (sanitizes paths for upload). 🔴Listens for remote commands:   ▶️Executes arbitrary shell commands (e.g., exec(command)).   ▶️Supports codes like "107" for file downloads/uploads.   ▶️Emits results back, with large files uploaded to /api/upload-file and URL sent. 🔴Process control: Allows remote stop/start of the other scripts via lock files/PIDs. 🔴Reconnects on failure (15 attempts).