At the end of S02E01 of Mr Robot, there is a scene where Darlene generate a ransomware with a modified SET toolkit. My fingers were itching for the IP address 192.251.68.254 which seems to be the C2 address for this malware. Not surprisingly, WHOIS resolved to NBC-UNIVERSAL. Lets see how deep this rabbit hole is.
The last page http://i239.bxjyb2jvda.net displays a message about “YOUR PERSONAL FILES ARE ENCRYPTED”. You may wait for 24hours or just check the javascript controlling the countdown timer, where you will find a base64 encoded string.
PGRpdiBjbGFzcz0ib3ZlciI+PGRpdj4iSSBzaW5jZXJlbHkgYmVsaWV2ZSB0aGF0IGJhbmtpbmcgZXN0YWJsaXNobWVudHMgYXJlIG1vcmUgZGFuZ2Vyb3VzIHRoYW4gc3RhbmRpbmcgYXJtaWVzLCBhbmQgdGhhdCB0aGUgcHJpbmNpcGxlIG9mIHNwZW5kaW5nIG1vbmV5IHRvIGJlIHBhaWQgYnkgcG9zdGVyaXR5LCB1bmRlciB0aGUgbmFtZSBvZiBmdW5kaW5nLCBpcyBidXQgc3dpbmRsaW5nIGZ1dHVyaXR5IG9uIGEgbGFyZ2Ugc2NhbGUuIjwvZGl2PjxkaXYgY2xhc3M9ImF1dGhvciI+LSBUaG9tYXMgSmVmZmVyc29uPC9zcGFuPjwvZGl2PjwvZGl2Pg==
This decodes to:
I sincerely believe that banking establishments are more dangerous than standing armies, and that the principle of spending money to be paid by posterity, under the name of funding, is but swindling futurity on a large scale.
– Thomas Jefferson
Edit:
By inspecting the SSL certificate for this webserver, I discovered plenty other Mr Robot related domains in the Subject Alternative Names field.
DNS Name=www.racksure.com
DNS Name=racksure.com
DNS Name=*.serverfarm.evil-corp-usa.com
DNS Name=www.e-corp-usa.com
DNS Name=iammrrobot.com
DNS Name=www.conficturaindustries.com
DNS Name=www.iammrrobot.com
DNS Name=*.seeso.com
DNS Name=*.evil-corp-usa.com
DNS Name=e-corp-usa.com
DNS Name=*.bxjyb2jvda.net
DNS Name=whoismrrobot.com
DNS Name=seeso.com
DNS Name=fsoc.sh
DNS Name=www.fsoc.sh
DNS Name=conficturaindustries.com
DNS Name=whereismrrobot.com
DNS Name=www.whoismrrobot.com
DNS Name=www.whereismrrobot.com
DNS Name=evil-corp-usa.com
DNS Name=www.seeso.com
At the beginning of S02E01 you will notice Eliot logs in the bkuw300ps345672-cs30.serverfarm.evil-corp-usa.com by SSH.
As for the puzzle at https://fsoc.sh:
If you look at this page, you may notice that the cursor is blinking with random intervals.
It’s not really hard to see that this is morse code, but I’m terrible at solving these tings manually. So I’d rather do it the techie way.
https://www.fsoc.sh/assets/main.js
What have you found is the season 2 premiere so far?
all praise https://0x41.no for their craftiness
MORSE CODE IS “LEAVE ME HERE”
You forgot to credit the original author: https://0x41.no/mr-robot-s02e01-easter-egg/
You’re right. Updated.
So whats up with the eye and 4c4f4f4b205550
If you did the Morse code without solving the eyeball puzzle, you obviously cheated/Googled it. Go back again and watch the eye movement. What does it spell?
I watched and I’m not sure. Do you know Gary?
they will probably go into CEO scams or BEC in the future episodes
Did you want to elaborate on that CyPish?