Over the last 3 months or so I have been receiving emails or Linkedin messages that generally talks about needing help with a software project. Initial emails simply shared a link to a bitbucket code base and requested to help with it. The profiles involved were all new Harvard educated individuals and easy to identity as scam.

The recent ones are bit more creative and are from Linkedin profiles which are much more believable with recommendations and long history.

Unlike the initial contacts who shared various code bases in Python or NodeJS in the first day itself, latest messages follows a multi day initiative.

On the third day, I got the code base and this time they also have a functional specification !

What’s in the code ?

The code provided seems to be slightly changed boilerplate code (LLMed ?) in React or Javascript with instructions to run locally. Somewhere in the code base there is an encoded function which is either loaded from an external URL or in one of the source files like the first screen shot in the image.

Encoded malicious code being fetched from an external URL
Typescript codebase with encoded malicious code

I took pains to use a secure environment to run the first of the lot which was attempting to access a blockchain wallet. The latest ones looks to be different and attempting to download external code. (Needs further verification.)

In any case, if you happen to get emails/messages requesting help with some code base and access to code, be careful and ignore if you are not sure about what its all about. Do not run the code on your computers!

This is a peculiar post about a nice little DNS service I came across few days ago. While reviewing a pull request I came across an address along the lines https://192.168.1.56.nip.io & I couldn’t find an immediate clarification and searching I could find the Github repo of the project but I couldn’t understand how it worked.

Later our DevOps engineer had to explain to in detail on what this is and how it works !

The nice little utility service has per-created wild card DNS entries for the entire private IP address range. Queries like NOTEXISTING.192.168.2.98.nip.io will get resolved to 192.168.2.168

bkb@bkb-dev-server1:~/src/discovery$ dig NOTEXISTING.192.168.2.98.nip.io

; <<>> DiG 9.16.1-Ubuntu <<>> NOTEXISTING.192.168.2.98.nip.io
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12130
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;NOTEXISTING.192.168.2.98.nip.io. IN    A

;; ANSWER SECTION:
NOTEXISTING.192.168.2.98.nip.io. 86400 IN A     192.168.2.98

;; Query time: 583 msec
;; SERVER: 208.66.16.191#53(208.66.16.191)
;; WHEN: Mon Nov 27 03:50:17 AST 2023
;; MSG SIZE  rcvd: 76

This is a very useful trick if we don’t want to edit /etc/hosts or equivalent for tools or software running locally or for scenarios where a DNS record is required.

Learn more https://nip.io