Max Schmitt mxschmitt

Odyssey Stealer (ClickFix Campaign) - Malware Investigation

Summary

This repository contains an analysis of a macOS infostealer delivered via a ClickFix social engineering attack hosted on testdino.com. The malware is an instance of Odyssey Stealer (a rebrand of Poseidon Stealer, itself a fork of AMOS/Atomic Stealer) -- a sophisticated macOS credential and cryptocurrency theft tool distributed as Malware-as-a-Service (MaaS) by a Russian-speaking threat actor known as "Rodrigo."

The victim was tricked into pasting a malicious command into their macOS Terminal through a fake CAPTCHA verification page.

.NET:

no cache hit (probably because we sign and its then different, or because we do a local install)
we still have the 600 MB cache folder (which never gets used)

Python:

no cache hit
0MB cache (probably local install does not end up in the cache)

Java:

Get your list of versions from here: https://nodejs.org/download/nightly/

v20.0.0-nightly20221021eb32a8443a/                 21-Oct-2022 07:30                   - good
v20.0.0-nightly20221031e43ecd5fec/                 31-Oct-2022 07:30                   -
v20.0.0-nightly20221101590cf569fe/                 01-Nov-2022 07:00                   -
v20.0.0-nightly20221111916af4ef2d/                 11-Nov-2022 06:30                   -
v20.0.0-nightly20221121abadaca982/                 22-Nov-2022 19:00                   -
v20.0.0-nightly202212013bed5f11e0/                 01-Dec-2022 07:00                   -
v20.0.0-nightly20221202cc2732d764/                 05-Dec-2022 17:00                   -

See here: https://github.com/mxschmitt/playwright-test-coverage/

	- name: Download
	run: Invoke-WebRequest https://bin.equinox.io/c/bNyj1mQVY4c/ngrok-v3-stable-windows-amd64.zip -OutFile ngrok.zip
	- name: Extract
	run: Expand-Archive ngrok.zip
	- name: Auth
	run: .\ngrok\ngrok.exe authtoken $Env:NGROK_AUTH_TOKEN
	env:
	NGROK_AUTH_TOKEN: ...
	- name: Enable TS
	run: Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server'-name "fDenyTSConnections" -Value 0

	// Writing a polyfill for window.safari.pushNotification.
	// Source https://developer.apple.com/library/archive/documentation/NetworkingInternet/Conceptual/NotificationProgrammingGuideForWebsites/PushNotifications/PushNotifications.html

	(() => {
	type Permission = 'default' \| 'denied' \| 'granted';

	class SafariRemoteNotification {
	permission(websitePushID: string) {
	return new SafariRemoteNotificationPermission(null, 'default')
	}

	// @ts-check
	import { chromium } from 'playwright';
	import assert from 'node:assert';
	import path from 'node:path';

	process.env.PW_CHROMIUM_ATTACH_TO_OTHER = '1';

	(async () => {
	const pathToExtension = path.dirname(new URL(import.meta.url).pathname);
	const context = await chromium.launchPersistentContext('', {

	import { Page } from '@playwright/test';

	/**
	* This is a Page Object Model (POM) class for the application's Todo page. It
	* provides locators and common operations that make writing tests easier.
	* @see https://playwright.dev/docs/test-pom
	*/
	export class TodoPage {
	/**
	* Locators are used to reflect a element on the page with a selector.

	Try Playwright (try.playwright.tech) rewrite

	+-----------------------------------------------------------------------+ +------------------------------------------------------------------------------------------------------------------------------------+
	\| Before \| \| N times After N times \|
	\| 1x time 1x time \| \| +------------------------+ +------------------------------------------------+ \|
	\| +------------------+ +------------------------+ \| \| \| \| \| \| \|
	\| \| \| \| \| \| \| \| Frontend (LB) \| +------------------+

	// Run it with: node --harmony-top-level-await test.mjs
	import { createServer } from 'http'
	import { on } from 'events'

	const PORT = 3000
	const reqs = on(createServer().listen(PORT), "request")
	console.log(`Listening on port ${PORT}`)
	for await (const [req, res] of reqs)
	res.end(`User-Agent: ${req.headers["user-agent"]}`)