Shulou(Shulou.com)06/01 Report--

This article introduces how to analyze the JavaScript backdoor script left by the attacker, the content is very detailed, interested friends can refer to, I hope it can be helpful to you.

On a compromised server, we found a script left by an attacker. The script is written by JavaScript and its main function is to be used as a Windows backdoor and a client C backend. First of all, I would like to say sorry to you, in order to protect the privacy of customers, I will not discuss and describe too many details.

The script is so small that it is less than 2KB, and the only thing that indicates its existence is a running process called "wscript.exe", which is a legitimate Windows program. The main part of the script contains an infinite loop of command waits, which hibernates for four hours after passing the query string "reflow" to ClearC.

The callback of ClearC is as follows:

To get more information, I started searching various search engines and VirusTotal for relevant code snippets, but to my disappointment, I didn't find anything. So I decided to use Recorded Future to help me find it. Recorded Future can scan and analyze information on thousands of websites, blogs, and twitter accounts to find connections between current and future people, organizations, events and events.

The returned results match three matches that were deleted in December 2017. The cached data and the linked source helped me recover the compressed files with the ClearC package.

Four main scripts (3 PHP and 1 JavaScript file) in the package are copied to the Web server. The web server may be controlled by an attacker or compromised by other means. The main script, index.php, contains a SVG animation that visitors will see when they happen to visit the page.

The script shows that when "reflow" is passed to the page, the contents of the malicious JavaScript file (renamed to a PNG file) will be sent to the victim PC and evaluated through the backdoor script. A malicious script obtains system information through WMI and then sends that information back as part of its authentication method.

Here we can see that the malicious script is run in an infinite loop, waiting for commands such as upload, download and execution.

The "mAuth" function generates short random strings, concatenates them with system information, and passes them to CleavC in Base64-encoded Cookie. These random strings are important because they are used as tags to identify the instructions contained between them.

The data is sent back to ClearC through AJAX. Here is a function called "FillHeader" to populate the HTTP header.

The following is what the HTTP request looks like when the victim PC checks:

The result of Base64 decoding on the cookie value is on the second line. After the second symbol displays the system information, the Base64 decoding on the string is repeated.

One of the PHP scripts appears to be a template that is modified with HTML code to make the page look legal (for example, it contains part of the actual web page). The script is renamed and referenced by the index.php script. The script has all the functions responsible for uploading and downloading files and creating activity logs. Log files include the victim's IP address, uploaded and downloaded files, session information, etc.

The "Authentication" function reads the cookie value from the victim and parses the system information, as well as defining the variable used to create the log file name. The victim's user name and computer name are MD5 hashes and are used as part of the log file name. When the victim PC connects to client C, three files are created on the client C server:

The last PHP script in the package is used to interact with the victimized PC and send commands to the victimized PC. Note the timezone and the interesting login method.

The commands available are very limited, but this is enough to allow an attacker to upload more and more powerful tools to the victim's PC and gain further network access. Finally, if attackers realize that they are about to be discovered, they can use another set of commands built into this script to delete all important log files.

This is the end of how to analyze the JavaScript backdoor script left by the attacker. I hope the above content can be of some help and learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.