![responsive javascript flash player detection responsive javascript flash player detection](http://www.bbs-consultant.net/files/pictures/resolutions-ecrans.jpg)
Converting Empty Lines to JavaScript Code This is equal to decimal 59, which is the character code for “ ” (semicolon). Tabs and line feeds form binary representations of characters, where tab is 1 and line feed is 0.įor example, the first encrypted character after the last “ }” is 09-09-09-0A-09-09, which can be converted to the binary “ 111011”. In these sequences, spaces work as delimiters between individual bytes (characters). They consist of sequences of tabs ( 09), spaces ( 20) and line feeds ( 0A). Here you can explicitly see that the lines are not that empty. When reviewed in hex, it appears like this: Hex view of fonts.css Looks like Morse code with sequences of dots and dashes, doesn’t it? If we select the empty lines after the last “ }” character in a text editor, another story is revealed: Selecting invisible contents in text editor However we know that this malware uses the file not as CSS but as a source of a JavaScript code - and its binary representation is concealed by sequences of tab and non-tab characters. While strange, this is still absolutely benign in normal circumstances. 56,964 empty lines! And the size of this small fonts.css file is about 150 Kilobytes!Įmpty lines are normally ignored by browsers and CSS parsers. There are, however, many empty lines at the bottom of the file. To further illustrate this example, let’s review the fonts.css file containing the malicious payload:Ĭontents of polobearshop/fonts.cssAt first glance, there really doesn’t appear to be anything suspicious here. This method essentially constructs the JavaScript function character by character, which is then executed once the whole file is processed. css, splits it into pieces separated by spaces, and then uses those pieces to construct binary representation of character codes, converting them to real characters using the fromCharCode function. The algorithm takes the part after the last “ }” in the requested. css is just a text file, how can someone conceal malicious code in it? This part of the injected script explains it: CSS to JavaScript algorithm It’s presence serves as a red herring: it’s real purpose is to provide a character dictionary to build the real malicious URL, which this script tries to load via XMLHttpRequest: “ //polobearshop/fonts.css However, in reality the static.xx. com (with extra.
![responsive javascript flash player detection responsive javascript flash player detection](https://venturebeat.com/wp-content/uploads/2020/01/guide-detail2.png)
The string visually resembles a real URL used by Facebook: / /static.xx. This time, the //static.xx. com /plrhg URL was easily seen in plain text. js files wp-includes/js/, wp-includes/js/jquery/ jquery.js, and at the top of index.php as seen below. The script, which was almost identical to the one found in Affable Kraut’s tweet, had been injected at the bottom of the. ico files and extracting JavaScript from the EXIF data, however, the malware was found nestled within a. Steganography in CSSīoth of these two cases conceal malware within real, benign files - a technique referred to as steganography.ĭuring a recent investigation this October, we came across another interesting variant leveraging the same technique. However, this script was only used as a dictionary of characters to build a URL for the real payload ( priangancom/wp-content/languages/blogid/favicon.ico and lebssite/favicon.ico in other variations). But there’s some extra characters, which are strange, so let’s see what’s actually going on /fk0dCh1dETįrom the sample in his tweet, the “ URL is clearly visible within the malicious script. Obfuscated code that has a weird google-analyticscom URL in it, which is the proper Google controlled domain. Just something I’ve noticed more recently with digital skimmers/ #magecart. ico files to conceal JavaScript skimmers. In a tweet, Affable Kraut also reported another similar obfuscation technique using. This summer, MalwareBytes researcher Jérôme Segura wrote an article about how criminals use image files (.ico) to hide JavaScript credit card stealers on compromised e-commerce sites.