Glassworm - What is it actually doing?

 

So following on from https://www.koi.ai/blog/glassworm-first-self-propagating-worm-using-invisible-code-hits-openvsx-marketplace, I managed to find the "offending" code and I'm currently working out what's going on.

So the invisible characters are all unicode variation selector characters (https://en.wikipedia.org/wiki/Variation_Selectors_(Unicode_block)) which are usually invisible but punt the source code into a hex editor and we can see:

And the offending source code looks like :

With the hidden code in line 3 and it loads an infected index_$platform.node file to do the decoding, With a little poking I got it to, instead of executing, simply dump the decoded data which now looks like this:

With the smallest of cryptography we see what it is a simple cipher substitution where each Unicode character represents one of the base64 characters e.g. 'F3A08594' equals 'd' and so on and so forth (I've not dug into the actual algorithm yet, but spotted this pattern easily enough).

So it's not really hidden code, just a sneaky way of encoding data into a hidden way that you have to piss about with to decode and then execute!

Once we base64 decode the above, we can see the realsource code

Visit any websites with care, especially given that this is malware afterall.

Glassworm - Invisible Source Code in the Wild

So I recently discovered this blog post (koi.ai) which discusses new malware with source code containing invisible characters

 Rather annoyingly (for me), the blog post glosses over what I consider the interesting part:

What are the invisible characters????  dagnammit, now I have to go and investigate