The bintools[.]io website appears to have been hijacked by someone who injected the malicious captcha code. The Javascript popup creation code is loaded from https://www.investonline.in/js/jq.php (probably another hacked website) and it's heavily obfuscated.
Both website and powershell payload call to wexmri[.]cc domain I was also able to get one with xmri[.]network once. Those domains decide who actually gets the popup based on browser parameters (probably user agent and IP) - that's why some were not able to get the fake captcha window.
Both domains seem to be pointing to IP addresses hosted under AS215929 (datacampus.hk). Does anyone know them? They seem to be Chinese. Maybe worth reporting this, or are they involved?
点赞鸡腿安慰安慰
今日首绷
中病毒了
合影
@fdiskmbr #155
The
bintools[.]iowebsite appears to have been hijacked by someone who injected the malicious captcha code. The Javascript popup creation code is loaded fromhttps://www.investonline.in/js/jq.php(probably another hacked website) and it's heavily obfuscated.Both website and powershell payload call to
wexmri[.]ccdomain I was also able to get one withxmri[.]networkonce. Those domains decide who actually gets the popup based on browser parameters (probably user agent and IP) - that's why some were not able to get the fake captcha window.Both domains seem to be pointing to IP addresses hosted under AS215929 (datacampus.hk). Does anyone know them? They seem to be Chinese. Maybe worth reporting this, or are they involved?
bintools[.]io网站似乎已被黑客劫持,其注入了恶意验证码代码。用于创建JavaScript弹窗的代码从https://www.investonline.in/js/jq.php(可能是另一个被黑网站)加载,且经过高度混淆处理。该网站及PowerShell有效载荷均调用
wexmri[.]cc域名,我曾一次获取到xmri[.]network的调用记录。这些域名会根据浏览器参数(可能是用户代理和IP)决定实际弹窗对象——这解释了为何部分用户未触发虚假验证码窗口。这两个域名似乎都指向由AS215929(datacampus.hk)托管的IP地址。有人了解这些地址吗?它们似乎属于中国。或许值得报告此事。
@oloker #195 我试了似乎不是很看ip, 是概率设置.
)
随机触发, 然后短时间根据ip等参数成功触发了缓存记录暂时不再下发验证码, 模仿验证码逻辑.
(可是这个验证码界面也太假了吧...和CF的验证码界面甚至都长的不一样...做这些的兄弟抄都不会抄
🤣👉🤡
合个影
想起来steam有通过cmd入库游戏的。小白啥都不懂直接照做的概率很高啊。
@kotonoha #199 目标人群就是这种人
笨笨的最好宰了