I received this email: from sender: admin@autosquare.store
Figma design link: https://www.figma.com/design/3p7jJDw9itkYYCTi0IqAJh/AutoSquare.Store?node-id=452-7274&t=R1qT9n8hKbqg98sN-1
(looks very legit)
I replied that I am interested and asked for a job description. He replied back with:
Red Flag ! Usually companies keep their source private and a candidate gets access to it only when after video meetings and an agreement for the work required.
Some companies also require an NDA to be signed before giving access to it's source code.
The bitbucket link is: https://autosquare-admin@bitbucket.org/autosquareshop/autopart.git
A binary file caught my eye called "car.dll". Red Flag ! Never trust files that end in .exe .dll .bat .ps1 !
The virusreport scan for this binary file is: https://www.virustotal.com/gui/file/1fd921159de8ccf3c33c7ad3d52a4186c2695b858435e8e327c4d95a8d1b048a/detection
and shows 4 detections as malware, along with external network calls to this endpoints:
GET http://www.royalsevres.com/javascript/activex_patch.hwp 200
POST http://103.35.190.170/Proxy.php 200
POST https://45.8.146.93:443/proxy/Proxy.php 200
I outlined the tailwind.config.js file because I found there 2 more red flags:
- obfuscated code. No real project needs obfuscated code in this config file.
- plain code that starts the car.dll malware
I just want to raise awareness of this new type of scam.
Top comments (0)