MoeSec security researchers recently discovered a new strain of JavaScript malware that utilizes advanced encoding techniques to evade detection. This malware leverages a combination of charcode and base64 encoding to obfuscate its malicious payload, making it challenging for traditional security measures to identify and remove.
Encoding Techniques Used:
Charcode Encoding:
The malicious javascript code is broken down into individual character codes, which are then concatenated together to form the final script.For example, the code
alert('Hacked')
could be represented as:
[97,108,101,114,116,40,39,72,97,99,107,101,100,39,41]
- 2. Base64 Encoding:
- The encoded charcode data is then further obfuscated using base64 encoding, transforming the script into an unreadable string of characters. Continuing the previous example, the base64 encoded version would look something like
YWxlcnQoJ0hhY2tlZCcp
.
After quickly explaining how both base64 and CharCode encoding works, Here is an example of a recently discovered javascript malware using multiple techniques. Here is the original base64 encoded malware:
This is how it looks like after decoding the base64 code:
The “ht”+atob(“dHBzOi8v”) is decoded to https:// and the next charcode is decoded to css.cdntoswitchspirit and by adding that to the .com as shown in the above screenshot it will become css.cdntoswitchspirit[.]com and the last base64 part of atob(“L3NjcmlwdHMvY2xhc3MuanM= is decoded to /scripts/class.js
The final and full result should be css.cdntoswitchspirit[.]com/scripts/class.js
So, This injected malware is trying to load the remotely hosted malicious code from this malicious domain which will be executed upon visiting the website.
This domain is associated with a new malware campaign and it was recently registered in April 2024 as shown here:
[labs@MoeSec ~]$ whois cdntoswitchspirit[.]com
Updated Date: 2024-04-29T11:39:34Z
Creation Date: 2024-04-29T11:22:49Z
Registry Expiry Date: 2025-04-29T11:22:49Z
How the Malware Works:
- The encoded javascript is typically injected into legitimate website files, such as image headers, CSS, javascript files or injected into database.
- When a user visits the compromised website, the browser executes the encoded script, which then decodes the charcode and base64 data to reveal the original malicious payload.
- This payload can perform a variety of malicious actions, such as stealing sensitive user data, redirecting visitors to malicious sites or even gaining full control of users devices by trying to download or install malicious software their devices such as backdoors, trojans, spyware, etc.
Cleaning and Removal:
To clean and remove this type of malware from your website, you’ll need to follow these steps:
- Scan and Identify: Use MoeSec.com’s powerful website scanner to perform a deep, AI-powered scan of your website files and database. This will help identify any hidden or obfuscated malware.
- Quarantine and Clean: Once the malware is detected, MoeSec.com’s security experts will work with you to safely quarantine the infected files and perform a complete cleanup of your website. This includes removing the malicious code and ensuring no traces of the malware remain.
- Protect and Monitor: After the cleanup, MoeSec.com’s website firewall and continuous monitoring services will help protect your website from future attacks and detect any new malware attempts.
Preventive Measures:
To prevent the re-infection of your website, it’s crucial to implement the following measures:
- Keep Software Up-to-Date: Ensure that all your website’s software, plugins, and CMS are regularly updated to the latest versions, as outdated software is a common entry point for malware.
- Implement Strong Security Practices: Use MoeSec.com’s website firewall to block malicious traffic, and regularly scan your website for any suspicious activity or vulnerabilities.
- Educate Your Team: Provide security awareness training to your staff to help them recognize and report any signs of potential compromise or malware infection.
By partnering with MoeSec.com, you can rest assured that your website is protected against the latest threats, including this javascript malware injection. Our team of certified security experts is dedicated to keeping your online presence safe and secure, so you can focus on growing your business with peace of mind.