# Unmasking Infostealer: Don't Believe What You See...

### Introduction

Imagine stumbling across a seemingly harmless script while hunting for tools online, only to uncover a sophisticated malware designed to steal passwords, session tokens, and cookies. That’s exactly what happened to me, and it sent me down a rabbit hole of investigation. In this blog post, I’ll take you on that journey.

### The Start of the Journey

It all began when I was searching GitHub for a HTTP flooding DoS script for penetration testing. Like everyone else, I was looking for existing code because, well, why reinvent the wheel, right? That’s when I stumbled upon a GitHub repository ([Azepofff/Adv-DDOS](https://github.com/Azepofff/Adv-DDOS/blob/main/main.py)) on the first page of my search results.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1734352885945/a56e7070-ea2b-44b1-94ef-b12128744284.png align="center")

At first glance, the source code looked normal. But do you notice anything suspicious? Probably not, unless you scroll all the way to the right or click the "Raw" button on GitHub—which is how I noticed the malicious code.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1734352980247/da2ba4eb-ba3f-4bfe-8096-6921639a0b86.png align="center")

Hidden at the end of the script, after a semicolon, was a line of code that installs the `fernet` module, decrypts an encrypted string, and executes it. This immediately raised a red flag, and I knew I had to dig deeper.

### Digging Deeper

I decrypted the encrypted string locally (without executing it) and discovered a URL pointing to a suspicious domain: `1312services[.]ru`. Naturally, my next step was to investigate this domain.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1734317645872/8243d256-4c77-479e-9577-9bf9f5faaaef.png align="center")

I tried accessing it via a browser, but Cloudflare blocked my request.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1734318791196/8cf4f461-8489-4cb2-a005-201ffabb3dc7.png align="center")

I attempted to use `curl`, but the request was still blocked.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1734318934091/c292c3ba-ec18-44a4-83b6-014e24823e18.png align="center")

Surprisingly, I managed to access the content using the Python `requests` module.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1734319125733/5158ee73-5eb2-4c75-9fc1-c2bd95ecf482.png align="center")

This revealed that Cloudflare was likely configured to block all requests except those with the default User-Agent header of the `requests` module. For reference, here’s the default User-Agent of the `requests` module (version 2.32.3): `python-requests/2.32.3`

> For an added tip, you can send HTTP GET request to [http://httpbin.org/headers](http://httpbin.org/headers) to see the headers of your request without intercepting it.
> 
> ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1734354000699/2c745723-35f9-425b-8654-42ac123e71d8.png align="left")

### Uncovering the Payload

The response contained Python code that created a file named `gruppe.py` under the `C:\Users\<Username>\AppData\Roaming` directory, clearly targeting Windows users. The script wrote a string stored in a `content` variable to this file and then executed it.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1734320546150/32ccfc4c-ff18-45c9-8be3-4f31f693a45e.png align="center")

To further analyze this, I copied the string into another file. This revealed another Python script, which also decrypted an encrypted string and executed it. Upon decrypting this text, I uncovered 620 lines of Python code, which is the main payload script.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1734320656540/089519da-9a75-4d46-8b70-eb996464a888.png align="center")

> I’ve shared the payload code in this gist: [https://gist.github.com/kcnaiamh/ad72bf34957eaf3c144f8a0899233128](https://gist.github.com/kcnaiamh/ad72bf34957eaf3c144f8a0899233128)

### Analyzing the Payload

Given the script’s size, I used ChatGPT to get a quick understanding of its functionality. Here’s what I found:

#### What the Script Does

This malware is designed to steal sensitive data from the victim’s system. It:

* **Targets Chromium-Based Browsers**:
    
    * Steals passwords, cookies, and tokens by decrypting browser-stored credentials.
        
    * Extracts data from popular browsers like Chrome, Edge, Brave, and Opera.
        
* **Targets Cryptocurrency Wallets**:
    
    * Accesses wallets such as MetaMask, Exodus, and Atomic Wallet.
        
    * Extracts data from browser extensions linked to these wallets.
        
* **Targets Messaging Apps**:
    
    * Extracts authentication tokens and session cookies from Discord and Telegram.
        
* **Searches for Sensitive Files**:
    
    * Scans common directories (e.g., Desktop, Documents) for files containing keywords like "password," "wallet," or "crypto."
        
* **Persistence Mechanism**:
    
    * Saves itself in the Windows Startup folder to ensure it runs on system reboot.
        

### Overall Observation

Remember the domain name? I did a WHOIS lookup to gather more information.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1734447605966/e5fc9fae-0e05-41c6-8a72-b919c0fcfd85.png align="center")

While I didn’t dive too deeply, I suspect the GitHub user “[Azepofff](https://github.com/Azepofff/)” may be linked to Russia. Every repository from this account is designed for deploying the infostealer malware. Groups like these typically steal credentials to further spread malware, infect systems with ransomware if they gain access to critical infrastructure, or sell initial access on hacker forums. They also pilfer cryptocurrency whenever possible.

This is their business model—and unfortunately, it seems to be a profitable one.

> If you have the time, please consider reporting this GitHub user.

### Final Thoughts

When using code from unknown sources, simply reading it isn’t enough. You need to dig deeper and examine hidden sections to ensure attackers haven’t sneakily inserted malicious code.
