Active anti-reverse techniques in Javascript

We recently came across a very interesting suspicious web page. The HTML page of course contained malicious code that linked to the Trojan. However, it was a separate HTML page inside the benign one – the authors of the code went against HTML standards, and put in an extra <html></html> container.

What’s surprising is that browsers (we checked using Internet Explorer, Firefox and Opera) don’t have any problem processing a page like this. On the other hand, who would expect malicious users to observe standards?

However, this isn’t the main issue. We’re interested in the script that the malicious users integrated into the web page. Of course, the script is designed to make analysis as difficult as possible, using techniques to obfuscate the JavaScript.

The script itself looks more or less like this:

Nothing particularly surprising here – the majority of scripts like this can be decrypted without analysing all the steps taking to manipulate the code. You just have to find the part of the code which prints to the original web page in order to run the payload. And in this case it’s the document.write() function:

If we modify this, we can see the decrypted code for the payload. Change document.write(P7E87DE2) to textarea1.innerHTML=P7E87DE2, with textarea1 being the HTML textarea container on the copy of infected page that we deliberately created on a local harddrive. Now we can see what the script does in the textarea field. Which gives us the following:

And it seems that this script doesn’t print anything. This is the first impression – but a closer look at the script turns up this string:

What does this mean? It’s very simple – this function gets its own code, and transforms it into a ‘key’ text string which is made up of letters and numbers. Within the function this string is used to generate the payload i.e. what gets entered in the text area depends on the body of the function itself!

As a consequence, if the code is modified in the slightest way, the result generated will be completely different, and may be completely nonsensical – this is what happened on our first attempt. It’s a sort of defense mechanism against modifying the body of the JavaScript function. I haven’t seen anything like this before in JavaScript – it’s pretty smart.

However, it’s possible to get round all of this simply by getting the same string from outside the function, assigning the variable q2854da60, which should be contained in the key string, to the result.

If you’re an analyst doing this, and you’re trying to get the script from inside the encrypted code, then you might suddenly find that when you open a correctly crafted page in order to get the hidden contents of the script, the browser will freeze. I’ll just stick my two cents in here, and point out that this is the moment when your computer will get infected.

The construction used by an analyst within the <textarea></textarea> tags is crafted in such a way as to not only infect users’ machines, but also to infect the computer of an analyst who’s trying to get to the payload code by printing it to textarea! The construction looks like this:

So if the code is placed inside the textarea container, the code will close the textarea tag and add an iframe container – the browser uses this to load an external script which contains the exploit Trojan that infects the system.

This example shows very clearly how virus writers are combating antivirus professionals who want to protect rank and file users. And if a virus analyst makes the smallest error, his or her machine will become infected. And that’s one of the reasons that I love my job – because it teaches me that there’s no room for error!

Active anti-reverse techniques in Javascript

Your email address will not be published. Required fields are marked *



Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

What did DeathStalker hide between two ferns?

While tracking DeathStalker’s Powersing-based activities in May 2020, we detected a previously unknown implant that leveraged DNS over HTTPS as a C2 channel, as well as parts of its delivery chain. We named this new malware “PowerPepper”.

Subscribe to our weekly e-mails

The hottest research right in your inbox