I'd browse to the site on my analysis machine with ZAP running, and each link (of which there were a good dozen different domains serving this content,) would redirect to two different links containing the same jquery-versionnumber.js file.
These .js files contained gobbly-gook similar to that below.
What... Just... what? I've seen obfuscation before, but that just looks ridiculous.
Fortunately, it's apparently not all that horribly uncommon, as we had a running discussion about this particular campaign, and an associate pointed me to an online unpacker at dollar.zikin.cz.
UNfortunately, the deobfuscated code produced something almost equally confusing. What I got was this:
document.write("Alice arms altogether carried gruntwith star could made right open Dontheld legs snorting made surebaby with difficulty thought when soon theyre sure last replykept doubling minute proper into behindAlice just minute left away surecaught held engine kept doubling straightenin foot open wouldnt gruntdirections that proper take kill grunted Dont gruntfish again right dont said lastdirections altogether hold made nursing sort knot child sure sneezingsome thing steam that first could sort behind Dontwhen doubling soon twist knot open words grunted");
Uhh... yeah... sure. Someone else in the discussion suggested that the miscreants were probably selectively serving up their malware. So, I decided to try another wget at one of the jquery serving URLs, spoofing my user agent as IE6. I mean... who DOESN'T want to infect IE6? It's almost like one of those penetration testing practice platforms people design, only, not by design.
A slightly irrelevant, but interesting note about the text above. Someone noted that the paragraph above, as well as one another person decoded, seemed to be very vaguely similar to some paragraphs out of Alice in Wonderland. Almost like a foreign copy of the book was run BACK through google translate or something. Weird.
Anyways, the spoofed wget served up another jquery file with the jjencoded gobbly-gook, but this time when decoded showed a much more "normal" looking bit of javascript.
Unfortunately for me, that ^N was for some reason counted as a weird bit of binary, or at the very least NOT a normal ASCII character, so when I tried to run it through decoders, they didn't detect it as valid javascript. I didn't get to the point where I was going to guess what went there (probably script?) however, because someone else pulled a similar sample that wasn't glitched out.
All it turned out to be was yet another redirect to a malware download. I didn't have my bomb shelter set up at the time, so I didn't get to see what going through the full redirect would have downloaded or how. There will be other chances for that I'm sure. I have it on good authority that it was Dyre, and given its selective-serving nature, I wouldn't be surprised if it was using a browser exploit that wouldn't require any user interaction beyond clicking the initial link.
Later, someone pointed us to this wonderful little article about this Dyre campaign and jjencode (which, if you take it one step at a time, and know your javascript, isn't actually quite as bad as it looks. Would still suck to do a manual decode though) The article can be found here:
https://blog.korelogic.com/blog/2015/01/12/javascript_deobfuscation
No comments:
Post a Comment