A few days ago, I published a diary on the SANS Internet Storm Center website about a Javascript file that was altered to deliver a cryptominer into the victim’s browser. Since my first finding, I’m hunting for more samples. The best way to identify them is to search for the following piece of code:
var foo = navigator['hardwareConcurrency'] || 0x4;
This is useful to detect the number of cores available. I already found plenty of samples that are most of the time standalone files.
Another interesting piece of code:
return /mobile|Android|webOS|iPhone|iPad|iPod|IEMobile|Opera Mini/i['test'](navigator['userAgent']);
This is used to not run the waste resources of mobile devices.
This morning, I found an altered jquery.js file. JQuery is a very popular JavaScript library that helps developers to “write less, do more” as stated on the website. The malicious file is a very old version of JQuery (1.7.1) but still popular. The wdiff command (or “word diff”) returns interesting info between the original file and the malicious one:
$Â wdiff -s jquery.js jquery.js.malicious ... jquery.js: 1244 words 1243 100% common 0 0% deleted 1 0% changed jquery.js.malicious: 10457 words 1243 12% common 9212 88% inserted 2 0% changed
Note that the malicious file (SHA256: ec214629efdffce5031b105737a14778a275c7a178bf1330f700ea6254269276) has a very low score on VT: 2/60 and was submitted yesterday from the USA.
One comment