Rating: 1.0
Discurd has filed a DMCA violation regarding a popular browser extension claiming to be conducting VIP giveaways on the company's product. The addon store has since taken down the extension to prevent any potential browser cryptomining malware from being distributed in the marketplace. Could you investigate what the 'Discurd Nitro Giveaway' addon does exactly?
There was one file attached, DiscurdNitru.crx
Unpacking .crx with the online tool (https://crxextractor.com/) gives us background.js (and icons + manifest, but let's focus on the code)
The code was obfuscated, but again, an online tool comes with help (https://deobfuscate.io/)
After the deobfuscation, we still need to sanitize the file to get rid of the q array.
My first try was to manually sanitize the strings from the array q with python just copy pasting q[462] + q[847] + q[39] + q[539]... word after word, but there were plenty of them, so automated it...
Some C# code (Sanitizer.csx)...
Running: dotnet script .\Sanitizer.csx
And we have sanitized strings from the array q
JavaScript looks awful, I don't understand what's going on here, but we can see there is a code looking like encryption.
Also, there we can finally see some meaningful strings:
_NOT_THE_SECRET_E242E64261D21969F65BEDF954900A995209099FB6C3C682C0D9C4B275B1C212BC188E0882B6BE72C749211241187FA8AES-CBCSo it looks like we have the encryption method AES-CBC, the encrypted message E242E642... and something that actually looks like the secret _NOT_THE_SECRET.
So another online tool comes with help (https://www.devglan.com/online-tools/aes-encryption-decryption):
E242E64261D21969F65BEDF954900A995209099FB6C3C682C0D9C4B275B1C212BC188E0882B6BE72C749211241187FA8 (Hex)CBC with key size 128 bits_NOT_THE_SECRET_Gives Base64: FxoNLwALJRwAJRc6DSojEV9DSFIwbWVfTTFOM1JfX30=
