Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: InfoSec Handlers Diary Blog - SANS Internet Storm Center InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Cryptominer Delivered Though Compromized JavaScript File

Published: 2018-07-13
Last Updated: 2018-07-13 06:20:13 UTC
by Xavier Mertens (Version: 1)
0 comment(s)

Yesterday I found an interesting compromised JavaScript file that contains extra code to perform crypto mining activities. It started with a customer's IDS alerts on the following URL:


This website is not referenced as malicious and the domain looks clean. When you point your browser to the site, it loads the JavaScript file. So, I performed some investigations on this URL. jquery.prettyphoto.js is a file from the package pretty photo[1] but the one hosted on safeyourhealth[.]ru was modified.

The original one starts like this:

(function($) { 
    $.prettyPhoto = {version: '3.1.4'};

    $.fn.prettyPhoto = function(pp_settings) { 
        pp_settings = jQuery.extend({ 

The malicious one started like this:

new Function(atob(“dmFyIF8weDQ5ZTY9WydjYW5jZWxlZ...Y5ZignMHgyNycpXSgpOw=="))()

The file was submitted to VT and received a score of 1/59[2]. atob() is the JavaScript function used to decode Base64. Let’s extract the payload and decode it:

$ curl —socks5 ten:9050 hxxp://safeyourhealth[.]ru/wp-content/themes/wp-trustme/js/jquery.prettyphoto.js | \
  grep atob | \
  awk -F ‘“‘ ‘{ print $2 }’ | \
  base64 -d >jquery.prettyphoto.js.decoded
$ cat jquery.prettyphoto.js.decoded
var _0x49e6=['canceled','error','opt_in_canceled','_connect','lastPingReceived','getItem','parse','ident','_updateTabs','waitReconnect','dontKillTabUpdate','setItem','stringify','stats','_hashString','charCodeAt','WEBSOCKET_SHARDS','_onMessage','onerror','_onError','onclose','onopen','_onOpen','anonymous','user','toString','type','token','goal','ref','opt_in','_send','_onClose','code','job','enabled','_adjustThreads','hash_accepted','hashes','accepted','authed','Bee\x20Error:','invalid_site_key','invalid_opt_in','reset','banned','_onTargetMet','job_id','submit','nonce','result','_onVerified','send','some_code','ifExclusiveTab','FORCE_EXCLUSIVE_TAB','forceExclusiveTab','forceMultiTab','User','Anonymous','Res','URL','webkitURL','mozURL','createObjectURL','worker','onReady','currentJob','verifyJob','verifyCallback','_isReady','lastMessageTimestamp','ready','Expecting\x20first\x20message\x20to\x20be\x20\x22ready\x22,\x20got\x

The script is obfuscated with a very big array (_0x49e6) which contains pieces of strings and code.
You can easily spot the behaviour of the script with the following snippet of code:

var _0x348ae9 = navigator['hardwareConcurrency'] || 4;

The navigator.hardwareConcurrency is a read-only property which returns the number of logical processors available to run threads on the computer. Always interesting for a cryptominer to know how many threads can be started.

If the code was obfuscated, strings were not. More interesting strings are easy to find:

self[_0x169f('0x98')][_0x169f('0x4b')] = {
    'LIB_URL': _0x169f('0xb2'),
    'ASMJS_NAME': _0x169f('0xb3'),
    'REQUIRES_AUTH': ![],
    'WEBSOCKET_SHARDS': [['wss://']],
    'CAPTCHA_URL': '',
    'MINER_URL': _0x169f('0xb4'),
    'AUTH_URL': ''

I wrote a VTI hunting rule to search for scripts containing the string "navigator['hardwareConcurrency']" and I got some hits last night. All of them where submitted for the first time yesterday and got a score of 6/59:


All of them use the same IP address:

I also searched for similar compromized jquery.prettyphoto.js files. This code is used on many websites but I did not find other malicious occurrences. Please share if you find some.


Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant

0 comment(s)
Diary Archives