Author Topic: Stealer javascript in a shopping website  (Read 2633 times)

0 Members and 1 Guest are viewing this topic.

Offline Mr. Consumer

  • Full Member
  • ***
  • Posts: 134
Stealer javascript in a shopping website
« on: May 03, 2023, 05:17:32 PM »
Hello,

Here's a Stealer javascript injected into a website to steal users information. It is embedded in a HTML file.

The script is loaded on this website: "nocturnamodels(.)com/en/

But it won't be injected just by visiting this page.
To reproduce the detection, visit the website, add an item to the cart and then click on proceed to checkout. When it is clicked, a script is injected into the webpage which is malicious. The script is in the HTML named "pedido". Avast at the moment does not detect it.
I'm attacking a screenshot. The last line in the file shown here is the obfuscated malicious code.



Here's a Virustotal link of the HTML. It's already detected by many other AV products. I also tested in a VM and Bitdefender, ESET, Kaspersky are able to successfully block it.

https://www.virustotal.com/gui/file/94ae09df47afcb74072e5f302401d5f7b31c15685a779904fea4ac7a460efa44/detection

The script may vary slightly each time, so the hash may not always be the same. So a hash based detection will not be recommended, I think.

The script is obfuscated. Create a heuristic detection for it if possible to detect similar scripts in the future.

It has to be detected on the browser. It only works on browser level. Any personal information like credit card info put on the page will get stolen by the attacker. An Avast analyst need to reproduce the issue on their end like I explained above and take proper measure to block it.

You can find more details about this here on the ESET forum:

https://forum.eset.com/topic/36242-jsspybankeriv-trojan/

Note: If any Avast employee or mods have a quicker access to the analysts, then please send this to them quickly to protect potential victims using Avast.
I already submitted this twice to Avast. Once I sent the javascript I extracted from the html file and sent them and also sent a de-obfuscated version of the script with it. Avast added file based detection for them. Another time I sent the HTML file which has the script embedded in it and got a reply that a detection has been added, but in reality there is no detection. So maybe they misunderstood what I explained.
So I'm sharing here in details so that it's easier to understand, since Avast still does not detect it.
« Last Edit: May 03, 2023, 07:30:57 PM by Mr. Consumer »

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88897
  • No support PMs thanks
Re: Stealer javascript in a shopping website
« Reply #1 on: May 03, 2023, 06:41:08 PM »
If this is what is happening - then do you think it wise to post an active link to the suspect site (I don't).

It is best to simply post the domain name and no https etc, of modify to hXXps://nocturnamodels.com/en/ so it isn't active.

Please modify your post.

You don't say how or where you reported it use the -  Reporting a possible Malicious sample File or Website - https://www.avast.com/report-malicious-file.php.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Mr. Consumer

  • Full Member
  • ***
  • Posts: 134
Re: Stealer javascript in a shopping website
« Reply #2 on: May 03, 2023, 07:38:47 PM »
If this is what is happening - then do you think it wise to post an active link to the suspect site (I don't).

It is best to simply post the domain name and no https etc, of modify to hXXps://nocturnamodels.com/en/ so it isn't active.

Please modify your post.

You don't say how or where you reported it use the -  Reporting a possible Malicious sample File or Website - https://www.avast.com/report-malicious-file.php.
My bad. I've fixed it. Simply visiting the site is safe but yeah, I should not share clickable link.
Yeah, it was submitted on the form you posted. Normal submission didn't work in favor of adding detection. So I used the false positive form to submit and also got positive replies both times as I explained above. But Avast doesn't detect it yet.

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88897
  • No support PMs thanks
Re: Stealer javascript in a shopping website
« Reply #3 on: May 03, 2023, 08:39:35 PM »
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Mr. Consumer

  • Full Member
  • ***
  • Posts: 134
Re: Stealer javascript in a shopping website
« Reply #4 on: May 03, 2023, 08:42:45 PM »
Well no one detect this on Virus Total including ESET - https://www.virustotal.com/gui/url/a6cfc313f8ca88dae7abff605fdbf467b8c27174870ead8170ff7e44f9d58d64?nocache=1
It's not about blacklisting the website, it's a javascript that is injected in the checkout page if items are added into the cart. I explained it in my post and even posted a Virustotal link.

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88897
  • No support PMs thanks
Re: Stealer javascript in a shopping website
« Reply #5 on: May 03, 2023, 08:45:38 PM »
Virus Total isn't about blacklisting, essentially about malware detections.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Mr. Consumer

  • Full Member
  • ***
  • Posts: 134
Re: Stealer javascript in a shopping website
« Reply #6 on: May 03, 2023, 08:50:01 PM »
Virus Total isn't about blacklisting, essentially about malware detections.
As I said, the host itself is not malicious or blacklisted by anyone. Once you do what I said about reproducing, the script will be injected into the page. The virustotal link in my post is the HTML file with embedded javascript in it which is detected by products like BD, Kasper, ESET. I tested each product first hand in my VM.

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88897
  • No support PMs thanks
Re: Stealer javascript in a shopping website
« Reply #7 on: May 03, 2023, 11:29:24 PM »
Well your only recourse is to await a reply from Avast on your submission.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Stealer javascript in a shopping website
« Reply #8 on: May 08, 2023, 01:41:06 PM »
Secure: https://urlscan.io/result/a11232c5-2e87-4f48-97cc-c6d912b12683/
response: https://urlscan.io/responses/5d8b2d12227d53de1b9f46c048bde169c5e61d58b7f97a3d28f02123b208bc10/
Scrollspy bootstrap vulnerability? XSS is possible in the data-target attribute, see *

See TLS recommendations here: https://sitecheck.sucuri.net/results/nocturnamodels.com
No CSP policy set. -> https://sitecheck.sucuri.net/results/nocturnamodels.com

See retirable code:
Quote
Retire.js
bootstrap   3.2.0   Found in
htxps://nocturnamodels.com/themes/theme1206_version2/cache/v_40_ce50539bf6f2daecd7f59864643974c7.js *  _____Vulnerability info:
Medium   28236 XSS in data-template, data-content and data-title properties of tooltip/popover CVE-2019-8331   1
Medium   20184 XSS in data-target property of scrollspy CVE-2018-14041   1
Medium   20184 XSS in collapse data-parent attribute CVE-2018-14040   1
Medium   20184 XSS in data-container property of tooltip CVE-2018-14042   1
Medium   XSS is possible in the data-target attribute. CVE-2016-10735   1
jquery-migrate   1.2.1   Found in hxtps://nocturnamodels.com/themes/theme1206_version2/cache/v_40_ce50539bf6f2daecd7f59864643974c7.js _____Vulnerability info:
Medium   11290 Selector interpreted as HTML   12
jquery   1.11.0   Found in hxtps://nocturnamodels.com/themes/theme1206_version2/cache/v_40_ce50539bf6f2daecd7f59864643974c7.js _____Vulnerability info:
Medium   2432 3rd party CORS request may execute CVE-2015-9251   1234
Medium   CVE-2015-9251 11974 parseHTML() executes scripts in event handlers   123
Medium   CVE-2019-11358 jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution   123
Medium   CVE-2020-11022 Regex in its jQuery.htmlPrefilter sometimes may introduce XSS   1
Medium   CVE-2020-11023 Regex in its jQuery.htmlPrefilter sometimes may introduce XSS   1
nextjs   10.2.3   Found in hxtps://platform.twitter.com/_next/static/chunks/modules.20f98d7498a59035a762.js _____Vulnerability info:
Medium   Improper CSP in Image Optimization API CVE-2022-23646   1
High   Unexpected server crash in Next.js versions CVE-2021-43803   1
Medium   XSS in Image Optimization API CVE-2021-39178   1
Medium   Open Redirect in Next.js CVE-2021-37699   1

No best policies on security headers.

pol
« Last Edit: May 08, 2023, 03:06:36 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Mr. Consumer

  • Full Member
  • ***
  • Posts: 134
Re: Stealer javascript in a shopping website
« Reply #9 on: May 22, 2023, 09:52:17 PM »
Avast has hugely disappointed me at this. I submitted this to Avast 7-8 times since my post here and got reply most of the times.
Most of the replies were that a detection has been added. One time got a weird reply saying that the script isn't loaded by the site anymore, but if it does, it will be detected by Avast. The last statement is absolutely incorrect. I checked when I got that reply and checked again tonight a couple of hours ago. It's still present there.
The detections Avast created were all just file hash based signatures, which is useless here. I told them every time not to do that but that's what they did anyway. The hash being different each time meaning Avast can't do anything to protect users from this. I tried putting fake credit card info on that site, but there was no peep from Avast. Extremely disappointing. Bitdefender, ESET, Kaspersky remains the 3 products that can protect users from this one.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Stealer javascript in a shopping website
« Reply #10 on: May 23, 2023, 03:48:00 PM »
A method to detect the actual javascript threat is being described here:
https://forum.eset.com/topic/35067-help-detecting-the-threat-jsspybankerkj-trojan/

polonus

Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Mr. Consumer

  • Full Member
  • ***
  • Posts: 134
Re: Stealer javascript in a shopping website
« Reply #11 on: May 23, 2023, 04:28:43 PM »
A method to detect the actual javascript threat is being described here:
https://forum.eset.com/topic/35067-help-detecting-the-threat-jsspybankerkj-trojan/

polonus
Good find. Things like this are reported on the ESET forum a lot. In my experience, they are the best at detecting suspicious javascript, sometimes a bit too aggresive. You may wanna keep an eye on their "Malware Finding and Cleaning" section of the forum to learn more about similar things.
« Last Edit: May 23, 2023, 10:16:23 PM by Mr. Consumer »

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Stealer javascript in a shopping website
« Reply #12 on: May 24, 2023, 08:40:42 PM »
Also interesting is detecting the malware according to the 'packers' being used.
Read: https://www.zdnet.com/article/hackers-are-disguising-their-malicious-javascript-code-with-hard-to-beat-trick/

polonus
« Last Edit: May 24, 2023, 08:44:22 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Mr. Consumer

  • Full Member
  • ***
  • Posts: 134
Re: Stealer javascript in a shopping website
« Reply #13 on: February 23, 2024, 03:56:55 PM »
To this day, Avast can't detect this. The malicious script that is injected is not always the same. So Avast has to emulate it by their script analyzer to detect it on the browser. Does Avast not emulate scripts embedded into website's HTML? I read an old Avast tech doc which implied that they can. Then how come they can't detect even after my multiple submissions?
If someone here can forward this to the Avast team via support or via other official/unofficial Avast mod then that would be ideal.