Why create malicious pastes under some user account if anonymous pastes can be equally good for script injections? The answer is flexibility. Emonostin’s pastes are the ones injected into and Jstoolshope‘s are the ones from the infected jquery.js. Jstoolshope – created on Dec 17th, 2015īoth users have only two pastes.There are two user accounts associated with them
THOSE WHO REMAIN SCRIPT PASTEBIN CODE
Since the jQuery code is quite long to be embedded in their attack scripts, they replaced it with a short external call to the same jQuery library saved on Pastebin. Why not? It works. js file is already infected or not, they just replace its whole content with code that is guaranteed to be correct. Most likely it makes infection and reinfection easier. It’s not clear why the attackers decided to remove existing code and then load it from Pastebin. Now we know that in each infected WordPress jQuery file, the first injected Pastebin script compensates removal of the original jQuery code (by loading the same code from ) and the second script injects the malware. Its pair rDiH4Bjy is an obfuscated malicious script that redirects visitors to either hxxps://goo.The paste WMMc4sS8 is the real code of the jQuery Migrate (v1.2.1) library.Its pair, dWe3gcb5 is an obfuscated malicious script that redirects visitors to hxxps://goo.The paste HC90NJsp is actually the real source code of jQuery (v1.11.3).Let’s first break down the content of each pair of Pastebin links. We get answers to all these questions when we check the referenced pastes. … Why do they remove the legitimate code from WordPress core files? Now we have some interesting questions about these pairs of Pastebin links. In the case of jquery.js the attackers inject scripts from: Hackers gain access to the website and replace the content of these files with their own short code. Pairs of Pastesīoth jquery.js and are core WordPress files. There are strong signs that these two attacks are related, but this WordPress infection is interesting on its own, so let’s look closer at these Pastebin links. Previously, we saw this trick used on infected Magento sites. war/moc.nibetsap//:ptth – is – – written backwards), it injects external scripts that load code directly from Pastebin. As you can see, the URL is written backwards inside the payload. Reversed URL Detected by SiteCheckĪ couple of weeks ago SiteCheck began detecting WordPress sites with reversed JavaScript code in /wp-includes/js/jquery/jquery.js and /wp-includes/js/jquery/ files. This time, we will show you an attack that combines both of these techniques to spread malware using a fake jQuery Pastebin file. We wrote in the past about fake jQuery scripts and how hackers use to host malware. One of the challenges of website security is staying on top of those threats as they evolve. Website hackers are always changing tactics and borrowing ideas from each other.
0 kommentar(er)
