Earlier this year Cognitous were contacted by a company to help with a security breach. During our investigation we discovered that some strange JavaScript had been injected into every page of the victim’s website which ultimately enabled the hackers to compromise the company’s Office 365 tenancy.
This JavaScript stood out, largely because of the heavy use of hexadecimal-encoded characters (e.g. \x74, \x65). This is a common technique used to obfuscate the true purpose of a script, however it can also make the script appear, at a glance, like any other “minified” production JavaScript.
There are various tools available to help deobfuscate this kind of JavaScript but for a quick indication as to what the script did, we used the web browser’s developer tools and JavaScript console to evaluate some of the strings. Warning: take care if you do this. Do not execute arbitrary scripts. In this example we simply evaluate a string by copying from a double quote to a double quote and pasting it in the console.
The first hex-encoded string turned out to be fromCharCode, which is a method of the JavaScript String type that can be used to generate a string from a series of character codes. This is a red flag as it’s another common method of obfuscating malicious JavaScript. It also explains the series of comma-separated numbers that follow the hex-encoded string. We used the JavaScript console again to deobfuscate the series of character codes (again, take care if you do this, to avoid copying anything before or after the number sequence).
This revealed a URL pointing at a JavaScript file on a strange domain. It was clear that this online.js JavaScript was also being injected into pages when viewed, but we fully deobfuscated the original JavaScript before moving on to be certain we understood exactly what it was doing. The deobfuscated script can be seen below:
The function a1()on lines 1-11 creates a new script element, gives it a unique ID, sets the source to the URL of online.js, then inserts it before the first script element in the document. Lines 13-24 check for a script element with the unique ID, then, if it is not found, call the a1() function to inject the online.js script into the document.
Next we downloaded the online.js script and found it to be similarly obfuscated. Somewhat bizarrely, this JavaScript file began with some analytics tracking code, presumably so the illegal hacking business owners can understand their market better!
We proceeded to deobfuscate online.js and, following various data and function definitions, found the following code snippet:
This code ensures that the function named collectInputs() is called once the entire document has loaded, further ensuring that the collectInputs()function has access to the entire web page. This function can be seen below:
The function gets all forms from the current web page and adds an event handler to the submit event. Whenever any of the forms on the web page are submitted, this handler is executed. The submit handler gets all forms from the current web page and generates a series of key-value pairs from all named input fields. This data, containing the name and value of every form field on the page, is then base-64 encoded and submitted to a URL along with the URL of the current web page.
Using this script, the hackers were able to capture usernames and passwords of company customers and employees as they submitted the login form. Eventually the hackers captured credentials from employees who had used the same password for their company email accounts and the hackers gained access to company emails and used those accounts to launch further spear-phishing attacks.
At the time of writing, all of the malicious URLs and scripts listed above have been taken offline.