undefined | Better HN

0 pointsjwpapi4mo ago0 comments

Why do the attackers publicly share the keys they found? Like what’s their mission?

0 comments

My guess would be so they don't have to embed an IP address or hostname in the malware to send secrets to, which could then be blocked or taken down.

jwpapiOP4mo ago

But they could encrypt it, its just double b64 encoded, everybody can read it.

twistedpair4mo ago

That one stumped me. Why not just encrypt with a hardcoded public key, then only the attacker can get the creds.

The simple B64 encoding didn't hide these creds from anyone, so every vendor out there's security team can collect them (e.g. thinking big clouds, GitHub, etc) and disable them.

If you did a simple encryption pass, no one but you would know what was stolen, or could abuse/sell it. My best guess is that calling node encryption libs might trigger code scanners, or EDRs, or maybe they just didn't care.

1 more reply

j / k navigate · click thread line to collapse