Hello Guys!
For people who are not aware, nowadays not even the source of a program is safe. People are able to run PowerShell scripts with it.
How do they do that?
When you open the .csprj (we are using C# as an example, but can be used in VB also), you will see some bunch of code.
When you go to the part where it says "<Target Name=" , there people can add PowerShell scripts that will make an EXE download, and execute, making your computer a slave of a RAT/Botnet.
Example of backdoor script:
This is how the backdoor works:
So when opening a Source, always use GitHub, or atleast check if there is any script in it.
Another example is the following.
I downloaded a source, and when i opened the CSPRJ on a notepad, i noticed this code:
Which looks pretty normal. But when you decode it, you get something like this:
(Too lazy to fix the format)
So as you can see that script downloads a string from this page pastebin. com/raw/aidZ0nxX, means it downloads the following thext:
aHR0cDovL2dvdWFzYnFhaDEuZ290ZG5zLmNoL0JhY2tkb29yL0Rvd25sb2FkL1ByaW50ZXJXaXp6YXJkLmV4ZQ==
and decodes it back from Base64, which turns to this:
*Direct Download of an .EXE with backdoor*
(Ofcourse im not going to put the link of the exe, but you can decode the string if you want to check)
So basically, the code downloads an .exe from the site, it stores it in %appdata% , and then it executes it.
Hope you guys can take a bit of consideration before opening a Source from someone you don't know.
