Fascinating. The author uncovers a huge web of fake accounts across GitHub and SourceForge which are used to push backdoored versions of legitimate software installers. A good reminder to be cautious when downloading “unofficial builds” and to always check checksums for official ones.
There’s also a really unexpected connection with sneaker-buying bots, which was a surprise to me. I did not know the lengths to which sneakerheads would go to to procure new shoes. I wonder if these backdoor bots are used just to give someone an extra leg up on online auctions and sales of sneakers...that’s some real twisted dedication right there.
The after market for "exclusive" sneakers is at a crazy peak right now. You can buy a $250 shoe and flip it for $500-$1000 nearly instantly. So it's not just old school sneakerheads looking for cool shoes - it's big business.
There are whole sub-industries within this bubble, too. People selling sneakerbot code, people selling purchase alert services, people selling access to private dischord groups that alert you to upcoming sales, etc. It's huge.
My co-worker and I (he was into sneakers, I was into money) used to have a nice little business arbitraging sneakers. Pretty easy to make 100%-500% returns with a little code and some ebay dedication.
yeah the whole hypebeast streetwear black market is huge, especially for shoes and supreme/big drops
the most interesting part is looking at stockx with the charts they have on items, I have shoes/silhouettes that I bought on sale/new through retail that have since sold out and seeing 2x return on investment isnt uncommon
So what does this mean for the people who have created bots for sneaker sites? I actually used to write code for those sneaker bots and run a slack group (before we all moved to discord), but I've never encountered oddities in the code builds for bots I used. This may be going over my head a bit but does this mean that the builders for the bot installs could contain malicious code?
Like the other comment below, we made the jump because it was where the customer base was. Slack was great for webhooks and tooling to monitor stock but in the end it wasn’t where the paying people were.
I know I'm late to the party and this is probably the stupidest question in the world but one never knows unless one asks, yeah? How did he/she know the binaries were packed with upx?
There's various analysis tools that can identify common packers, and I think you can at least guess UPX by looking at the file contents and seeing the string "UPX" a few times, which it uses as markers for something.
If you want to find malware with no AV signatures, look at no-name warez of medium popular and niche professional software, and honey-net via unpatched Windows computers on exo-DMZ unfiltered IP addresses. I saw this one sample behavioral analysis of a trojaned well-known firewall product for Mac that tries to download Google Chrome in order to clickbot... no AV signature for it. With the right APT defenses, such as a root priv esc, SIP bypass and process & file cloaking, it would be entirely possible to keep nodes pwned much longer, at the cost of 2-3 sploits... and better use such farm for a big money-maker.
There’s also a really unexpected connection with sneaker-buying bots, which was a surprise to me. I did not know the lengths to which sneakerheads would go to to procure new shoes. I wonder if these backdoor bots are used just to give someone an extra leg up on online auctions and sales of sneakers...that’s some real twisted dedication right there.