When I hunt honeypot blackhole exploit kit (BHEK) blacklist
for infections I often come to see some URLs ending up with js.js on it.
The file will be the same in extention but actually it has differences in
contents depend on malware epidemic exploitation / how the BHEK want to
infect users at that time.
Previously, the trend I found in the js.js code was a mere and
common injected obfuscation script like :
or
↑It was obvious that we must crack this code for getting to the next -
hop of the malware source.
But the recent js.js that I found was mostly/practically a javascript calls to
another text file contains "document.location=" of a certain blackhole sites.
The moral of this writing is, we can nail bigger stuffs / new epidemic by
understanding the parameter produced by the recent terms.
Allow me to demonstrate this theory. Let's see the below real infected urls:
209.215.118.13 hXXp://209.215.118.136/fFDrSXRM/js.js
200.219.245.75 hXXp://aainstalacoeseletricas.com.br/3XmimsHL/js.js
184.107.196.218 hXXp://www.celucentro.com.co/qgmZiWk7/js.js
82.98.87.89 hXXp://wilde.webprojekt.ch/v8bPW1U4/js.js
85.214.26.149 hXXp://advantage-media-sports.com/26MxXngr/js.js
194.170.160.46 hXXp://www.admirals.ae/mC9o9rRd/js.js
This will connect you to the certain "document.location=" below:
document・location='hXXp://209.59.222.20/pxyk80ujzb03h.php?y=pju39rz4qpnogd84';
document・location='hXXp://50.116.54.37/pxyk80ujzb03h.php?y=p7tqagmzf8qdjqpi';
document・location='hXXp://173.230.130.248/pxyk80ujzb03h.php?y=078eb263358008ea';
document・location='hXXp://69.163.40.128/pxyk80ujzb03h.php?y=p7tqagmzf8qdjqpi';
document・location='hXXp://69.163.40.128/pxyk80ujzb03h.php?y=gawit01smae175m0';
document・location='hXXp://69.163.40.128/pxyk80ujzb03h.php?y=pju39rz4qpnogd84';
The lesson teach us to understand the curent trend of parameter used in
blackhole, which is :/pxyk80ujzb03h.php?y=
Let's proof this theory by searching the above strings in the -
malware domain list site:
↑*) Click to enlarge the pic
↑Voila! We got ourself a new hunting field. :-)
PS: This posts is dedicated to fellow malware hunters
#MalwareMustDie!