|
|
|
|
|
|
by cloudbonsai
1693 days ago
|
|
|
For anyone interested, the malicious code can be found in the following link: https://github.com/veged/coa/issues/99#issuecomment-96153687... TLDR: The attacker injected an attack code as coa's `preinstall` script, which executes an obscurely-named file ("compile.bat"). This file is fully obfuscated, but what it does is basically to pull exploit DLLs from the attacker's server and install 'em. I think the fortunate part of this accident is that the attacker failed to deploy the malware in his/her first attempt; v2.0.3 only contained the half of the changeset that the exploit needs to work (which accidentally broke tons of CI builds); So some developers could notice that something is wrong a bit early. |
|
|
very nice use of substring, but a bit too linear... with some input redirects and nested spaced variables it would have become more robust and unpredictable, but i suppose nowadays batch chiselers are rare.
edit: by the way in the article is missing a -useless- decoded line (n.4)