SiteCheck Signatures

  1. Home
  2. Signatures
  3. SiteCheck Signatures
  4. malware.tor_ff_exploit

malware.tor_ff_exploit

Description:
Detected a malicious JavaScript code that targets TOR users with old versions (before November of 2016) of Tor Browser and Firefox.

Hackers usually point injected scripts and iframes to intermediarry Traffic Direction Services (Servers) instead of the real sites that serve the malicious payload. This scheme adds flexibility to the attack. This additional layer may detect OS, browser, referer, country, IP and other features of visitors and redirect each category to the corresponding landing pages that would target the exact type of visitors. TDS' usually work as aggregators, buying traffic from hackers who compromise websites and selling it to various criminal groups who are interested in particular type of traffic.

The exploit code usually contains lines like these:

... f=this.​findPopRet("EAX"),g=this.pe.​resolve_imported_function("kernel32​.dll","VirtualAlloc"); ...

or

... 
var thecode
='​ue8fcu0089u0000​u8960u31e5u64d2u528bu8b30u0c52u528b​u8b14u2872ub70fu264auff31uc031u3cacu7c61u2c02uc120u0dcf​uc701uf0e2u5752u528bu8b10u3c42ud001u408bu8578u74c0u014au50d0​u488bu8b18u2058ud301u3ce3u8b49u8b34ud601​uff31uc031uc1ac​u0dcfuc701ue038uf475u7d03u3bf8u247due275u8b58u2458ud301​u8b66u4b0cu588bu011cu8bd3u8b04ud001u4489u2424u5b5bu5961u515a​ue0ffu5f58u8b5aueb12u5d86u858du0297u0000u6850u774cu0726ud5ff​uc085u840fu0185u0000u858du029eu0000u6850u774cu0726​ud5ffuc085u840fu016fu0000u90bbu0001u2900u54dcu6853u8029u006b​ud5ffudc01uc085u850fu0155u0000u5050u5050u5040u5040​uea68udf0fuffe0u31d5uf7dbu39d3u0fc3u3a84u0001u8900u68c3u2705​ue21bu6866u5000uc931uc180u6602u8951u6ae2u5210u6853ua599u6174ud5ffuc085u0874u8dfeu0248u0000ud775u00b8u0001u2900u89c4u52e2u5250ub668​ude49uff01u5fd5uc481u0100u0000uc085u850fu00f6​u0000ue857u00fau0000u895eu8dcaua7bd​u0002
 ue800u00ecu0000u834fu20fau057cu20ba​u0000u8900u56d1ua4f3u0db9u0000​u8d00u8ab5u0002uf300u89a4u44bdu0002u5e00​u6856u28a9u8034ud5ffuc085u840f'
 ...

Affecting: Any web site (with more chances to find it on .onion websites).

Fore more information check:
Firefox Zero-Day Exploit to Unmask Tor Users Released Online
[tor-talk] Javascript exploit