If you look at the malicious code above, you will find many malicious JAR files loaded through applets, followed by a large chunk of random text inside the ‘div’ tag, which is hidden. If someone visits this webpage, he/she will only see text labeled “Loading….”. Meanwhile, the malicious code is downloading the various JAR files and may additionally download other malicious files. An interesting fact about this code comes from the random text inside the ‘div’ tag. Initially, the purpose of the random text was unclear. I later identified another example of code using exactly the same ‘div’ tag. At that point I assumed that it wasn’t entirely random afterall. Let’s open the source code of the “js.php” file and take a look:
I have also located this exact same piece of Base64 code elsewhere on Internet. In fact, this encoding technique can be found on Google code, as part of a hotot project. Here is the screenshot of the same piece of the code,
This is another case where an attacker has taken advantage of publicly available code to encode a malicious payload. This also shows how easy to find various encoding techniques on the Internet and leverage them for malicious purposes. For the purposes of this post, I won’t go into details of malicious files downloaded.
That’s it for now.
Umesh