Decoding Pseudo-Darkleech (#1)
I'm currently going through a phase of WordPress dPression. Either my users are exceptionally adept at finding hacked and subverted WordPress sites, or there are just so many of these sites out there. This week's particular fun seems to be happening on restaurant web sites. Inevitably, when checking out the origin of some crud, I discover a dPressing installation that shows signs of being owned since months. The subverted sites currently lead to Angler Exploit Kit (Angler EK), and are using "Pseudo Darkleech" as their gate.
Pseudo-Darkleech is not the most fortunate name for malcode, but as far as I can tell, it was "invented" by Sucuri back in December 2015, and has been taken up by others, like by fellow ISC Handler Brad over at malware-traffic-analysis.net. This is what pseudo-darkleech currently looks like:
And this is the tiny bit of code that the entire blob above decodes into:
cerfsvolants-wer4u-org showed up for the first time on April 18, and has been in use since. "cerf volant" is French and means "flying a kite". I hope this was a random selection, because the only other option is that this particular malware miscreant is actually making fun of us. Virustotal shows a couple of goodies that have been observed from this site.
In this diary, we'll do a step-by-step of the decoding, to show how it can be done, and more importantly, to show how massively convoluted the encoding used in current exploit kit gates has become. If, in a corporate setting, you are wondering why you get all the AnglerEK (JS/Redirector) hits only on your workstation anti-virus, but not on your proxy content filter, this diary is for you. You'll see that it is becoming very hard (aka "impossible") to detect such malcode without actually running it in a real browser. Sit back, and get some popcorn! :).
If you look at the first picture above, you'll notice there are two elements. One is a HTML "DIV" section named "evs", and filled with what looks like a garbage combination of numbers and letters. The other is a "script" section, but filled with what does not look like JavaScript at all.
For starters, lets ignore the "evs", and make sense of the "script". It seems to be a long list of variables that are assigned some values, but it is impossible to figure out rhyme or reason. When confronted with something like this, I first use a quick Perl command to make the blob more readable:
cat script.js | perl -pe 's/;/;\n/g';
This adds a line break to every ";", and thus separates out the individual Javascript commands. The result is still far from pretty, but it allows to determine that 99% of the code really only assigns values to variables. It is only near the bottom of the code block that we find the first actual JavaScript function call:
rtmj+=qpbuzz;
rtmj+=outpp;
rrv(rtmj)();
hkgcz="\x63\x78\x63";
rtmj=hkgcz;
So it is probably fair to assume that we can replace rrv(rtmj)(); with a print(rtmj); and run the result through JS/Spidermonkey, to see what gives:
daniel@debian:$ js script-edited.js
Note how the decoded JavaScript references the "evs" section that we ignored earlier!
replace(/[^\d ]/g,"") : Everything that is not a space " " or a number \d gets replaced with "" (empty) .. so this cuts out all the characters, and only leaves the numerals
for(i=0;...parseint(a[i])^9 This loops over the numerals, and does a ^9 (XOR with 9) operation on the number
fromCharCode : Turns the decoded number into its equivalent ASCII character
Hey, we can do this in Perl, too:
daniel@debian:$ cat evs | perl -pe 's/[^\d ]//g; s/(\d+)\s+/chr($1^9)/ge'
Even more progress :). I'll finish the analysis in a second diary that I'll post later.
Comments
Does your antivirus act (if at all) before or after your browser decoded the redirector and got redirected to the landing page?
Anonymous
Apr 21st 2016
8 years ago