Pecker tech malware reversal project done on volunteer basis for 4chan.org

Threat Analysis & Reverse Engineering Report: -ecker Malicious Client Overlay

Executive Summary

This document outlines the reverse engineering methodology and technical analysis of a highly sophisticated, malicious client-side script designed to attack and manipulate 4chan and associated imageboard archives. The script acts as a weaponized client overlay—internally branded as -ecker and hosted at p.ecker.tech—providing bad actors with capabilities for network evasion (IP cycling, CORS bypass), automated abuse (mass reply/spam, LLM-driven auto-posting), cryptographic botnet coordination ("Trashwatch"), CAPTCHA circumvention, and steganographic payload delivery.

This report is intended for Law Enforcement Organizations (LEO), infrastructure providers (e.g., Cloudflare, Render), and the broader security community to facilitate takedowns, improve detection, and mitigate abuse.

---

Reverse Engineering Methodology

The initial payload was delivered as a single, heavily obfuscated JavaScript file (sample.js) alongside a corresponding HTML overlay (htmlsample.html). Standard deobfuscation tools (like webcrack) were incompatible with the environment, necessitating a custom Abstract Syntax Tree (AST) manipulation approach.

1. Deobfuscation Strategy

The obfuscation relied heavily on a string array shifting technique (typical of javascript-obfuscator), accompanied by recursive function aliasing to hide the primary string decoder (_0x5cb2).

A multi-pass AST transformation was performed using @babel/core, @babel/parser, @babel/traverse, and @babel/generator:

• Context Bootstrapping: The internal string array (_0x3f4b) and its IIFE shifting logic were isolated and executed in a safe Node.js context to dynamically reconstruct the underlying decoder function.
• Alias Resolution: A robust recursive function was built to walk the AST, trace variable declarators, and map all localized aliases back to the master decoder.
• Literal Substitution: Every CallExpression matching the decoder or its aliases was evaluated, replacing the obfuscated numeric arguments with their plaintext StringLiteral equivalents.
• Syntax Cleanup: Bracket notation for object properties (object["property"]) was normalized back to dot notation (object.property) where valid, and the source was passed through js-beautify for structural readability.
• Logic Annotation: Key malicious functions were identified and documented with inline JSDoc comments to clarify intent for incident responders.

---

Technical Analysis & Core Capabilities

The deobfuscated codebase reveals a modular, feature-rich malicious toolkit that completely bypasses the native 4chan UI in favor of a heavily customized, DOM-injecting overlay.

1. Command & Control (Trashwatch / Shadowbanning)

The script implements a centralized coordination system via WebSockets to synchronize targets and payloads across all users running the script.

• initTrashWatch(): Initializes a persistent WebSocket connection to a C2 server (wss://bara-bara-bara.onrender.com).
• Cryptographic Verification: Uses embedded ECDSA (P-256) keys and crypto.subtle.verify to validate that commands arriving from the C2 server are authentic and authored by the malware creator.
• Dynamic Payload Injection: Capable of receiving and decrypting AES-CBC payloads that dynamically inject hidden Userscripts (e.g., "Auto-Filter") into the DOM to enforce global shadowbans or coordinated actions against specific users.

2. Network Evasion & IP Management

• CORS Bypassing (ifetch): The ifetch function wraps native fetch requests, automatically routing cross-origin traffic through https://corsproxy.io/?url= to bypass browser security policies. It also includes explicit fetch calls to endpoints like https://noembed.com and /ai/goody2/v1/completion for external data gathering and LLM text generation.
• WebSocket Proxying (curl): Upgrades standard HTTP REST requests into WebSocket frames (wsSendHttp), masking typical API abuse (posting, fetching threads) from standard network monitoring tools.
• IP Cycling: Integrates with a backend infrastructure that allows users to select recycleIPList options per post (e.g., "All Unused", "All (No Samefag)"). This allows attackers to rotate through proxy IPs seamlessly, evading subnet and IP-level bans while simulating organic thread engagement.

3. Media Hash Evasion (Mogrify)

To bypass 4chan's MD5-based file bans, the tool includes advanced local image/video manipulation.

• mogrify(t, e): Renders media to a hidden HTML5 Canvas and applies programmatic noise, minor rotational shifts, or padding. This ensures the visual output is identical to humans but produces a mathematically unique file hash upon every upload.
• WebGL Shaders (retroImage): Utilizes experimental-webgl to apply complex image alterations like chromatic aberration, scanlines, and barrel distortion.
• Metadata Stripping: Explicitly strips EXIF and identifying chunk data from PNGs (stripPngMetadata) and JPEGs (stripJpegMetadata) before hashing and uploading.

4. Steganography & "PEE" Payloads

The script enables hosting illicit or hidden data on third-party services (e.g., Catbox.moe) and steganographically embedding pointers to that data within benign images on 4chan.

• File Injection: Functions structure URLs or raw data and inject them into the binary structure of images to generate custom .pee files.
• Client-Side Decoding (checkPeeInFile): Scans incoming thread images via fetch(), extracts the hidden data chunks, and dynamically renders the steganographic payload in the UI (e.g., playing a hidden audio/video file).
• Payload Encryption: Fetches encrypted payloads from the file host and decrypts them locally using AES-CTR, hiding the true nature of the hosted files from the hosting provider.

5. Automated Abuse (Spam & Thread Derailment)

• Mass Targeting (massReply / massQuote): Iterates through the DOM to construct massive quote blocks targeting every user in a thread, injecting random strings (randWord) to bypass spam heuristics.
• Thread Bumping (bumpfag): Automates periodic posting to artificially inflate thread engagement and keep it at the top of the catalog.
• LLM Integration: Interfaces with external language models (GPT, Claude-3, Goody2 via /ai/*/v1/chat/completions API calls) to synthesize fake conversational replies, driving artificial activity and derailing genuine discourse.

6. CAPTCHA Circumvention & UI Hijacking

• UI Overlay (htmlsample.html): The script injects a massive custom UI (<div class="gadgets">), containing its own Quick Reply (<div class="qr">), Thread Watcher, and Configuration Panels (<div class="settings ecker-settings">).
• DOM Interception: It prevents the native 4chan HTML from rendering and instead builds the thread manually from a pre-loaded <script id="json" type="application/json">${posts}</script> block.
• CAPTCHA Hijacking (requestCaptchaSolution): Intercepts 4chan's slider and visual CAPTCHA challenges, generating custom, enlarged UI panels or utilizing backend predictions to auto-solve bounding-box visual tasks for provisioned users.

---

Indicators of Compromise (IoCs) & Infrastructure

• Primary Distribution Domain: p.ecker.tech
• C2 WebSocket Server: wss://bara-bara-bara.onrender.com (Hosted on Render)
• Proxy Service: https://corsproxy.io/
• File Hosting (Payloads): files.catbox.moe / fatbox
• External AI/Embed Endpoints: https://noembed.com/embed, vocaroo.com, https://lens.google.com
• Embedded ECDSA Public Key (X/Y coords):
  • x: 3ctBnq34okpLQKPAjFGuEVpepUZDo9OqpooqD-FIqus
  • y: 6wuYZtCyJ-JBfaY2mpG1g0VMGqG2_HLPBsgYjh97Nac

---

Report generated during active reverse engineering session.