Mysterious, yet familiar
Over the past couple of months, there has been a noticeable increase of heavily obfuscated JavaScript code that embeds malicious iframes. Most of those code were injected into JavaScript files included from compromised websites (instead of the home page), which is supposedly harder to spot by the website’s admin.
An example of such injected JavaScript code looks like this: Note that the comments around the obfuscated code (/d47c75/ and //d47c75/in this case) around the injected code serves as an injection marker for an automated FTP injection tool, so the attacker can replace the injected JavaScript with newer versions when the old one is detected by AV software.
After going through quite a few pages with similar injected JavaScript, it appears that all of these JavaScript snippets were generated from the same obfuscator(cryptor), which is confirmed when I discovered a website that hosts this JavaScript code and allows directory listing. Alongside several JavaScript files entirely obfuscated with this cryptor, I found a perl script that periodically re-obfuscates those JavaScript files. In case you’re wondering, the xp_, vista_, win7 and other scp_pc.js files are used to mimic the look and feel of a native antivirus software’s window (instead of a web page) and scam the visitors of the site into purchasing questionable AV software (or even malware). It’s very natural that the site owner would want to obfuscate the JavaScript code to avoid detection by legitimate AV software.
Anyhow, this leads me to this JavaScript obfuscation service – crypt.am.
Convenience is the key
For a reasonable fee (1 WMZ is about 1 USD): You can conveniently obfuscate your URL (via hidden iframe) or JavaScript snippet to avoid detection by AV software. Each obfuscation is unique in that all the variable and function names are randomly generated to avoid detection by checksum-based AV detection:
To further assure quality service, the site claims to check the detection rate of its 3 cryptors and supposedly modifies the cryptor when it can be detected by more than a few AV software. However, the detection rate displayed on the site is suspiciously low when compared to the actual result I got from VirusTotal.
The obfuscation process can also be automated via an online API: This makes maintaining a large number of compromised websites much easier, as seen in the fake AV site mentioned above.
The site also provides account management features, such as changing password/contact info, replenishing account with WebMoney, and even a log of all the data previously obfuscated.
Brand building
This site is apparently operated by Paunch, the author of the very popular Blackhole Exploit Kit (EK) and its successor, the Cool Exploit Kit. Both EKs are available for rent or purchase as well. A rented Blackhole server has been reported to cost $500 a month, where an annual license costs $1500. The newer Cool EK reportedly costs $10,000 a month to rent. Looks like Paunch is taking advantage of the reputation he built with these popular EKs and expanding business into other parts of the cybercrime ecosystem.
The website advertised in the banner of crypt.am, doitquick.net, is yet another of Paunch’s service to make the life of the cyber-criminals easier. It batch registered domains that can be used for both white and black/gray purposes, and also comes with blacklist detection features.
Long gone are the days when a cyber-criminal needs to hand-craft his own little exploit kit and cryptors, or buy from some other underground sources with questionable reputation. With the market domination Paunch enjoys, he can afford to purchase or custom build the best exploits/cryptors out there and offer them at a very competitive price.
Many happy customers
Within the last three months, over 3000 websites were observed to host JavaScript obfuscated with crypt.am. In contrast to high profile incidents that target high traffic websites, the comprised sites observed here are mostly small websites with moderate to low traffic. A quick review of the websites reveals that the vectors of compromise include stolen/brute forced FTP/SSH passwords, vulnerabilities found in WordPress plug-ins and, in some cases, compromised web servers.
With the help of crypt.am, almost a quarter of the compromised websites hosted malicious JavaScript code for more than 3 days: Once a website admin finds out his/her site is compromised, the site is usually taken offline and fixed very quickly. Therefore it’s very important for cyber-criminals to keep their compromised sites undetected for as long as possible.
The majority of the compromised sites are redirecting to either Blackhole or Cool EK. Blackhole EK was reported to have a conversion rate of about 8%. Conversion rate for Cool EK is a bit lower at 7%. That means 7% to 8% of the visitors to the thousands of compromised websites would end up getting malware installed on their computers.
Assuming obfuscation with crypt.am keeps a compromised site undetected for 2 extra days, and the sites gets only 50 visitors per day, at least 2 * 50 * 7% = 7 extra visitors will get infected. Armed with an arsenal of ransomware(min $50, usually $100), scareware ($50-$200) and bank trojans (whatever amount in your bank account), a cyber-criminal can easily recover the cost of a whole month of unlimited crypt.am service ($50) with this website alone.
Cookie Bomb
A large portion of the compromised sites hosted JavaScript code that uses a cookie to limit the rate of injecting iframe to once per day. This is supposed to reduce the load on the EK servers and avoid unnecessary traffic that might raise suspicion.
This unique cookie leads me to about 1000 other sites that drops it, supposedly via the malicious JavaScript code.
Google search of “visited_uq” also returned about 270,000 results, many of which are labelled by Google as “This site may harm your computer.”
Although it’s hard to establish a solid association between these “Cookie Bomb” sites and the use of crypt.am, a quick look at some of these websites indicates at least some of the plain text “Cookie Bombs” (second line in the picture below) have been replaced by (or complemented with) an obfuscated version (first line below), possibly with the help of crypt.am.
Leave a reply