The first hex-encoded string turned out to be
a1()on lines 1-11 creates a new script element, gives it a unique ID, sets the source to the URL of
online.js, then inserts it before the first script element in the document. Lines 13-24 check for a script element with the unique ID, then, if it is not found, call the
a1() function to inject the
online.js script into the document.
Next we downloaded the
We proceeded to deobfuscate
online.js and, following various data and function definitions, found the following code snippet:
This code ensures that the function named
collectInputs() is called once the entire document has loaded, further ensuring that the
collectInputs()function has access to the entire web page. This function can be seen below:
The function gets all forms from the current web page and adds an event handler to the
submit event. Whenever any of the forms on the web page are submitted, this handler is executed. The submit handler gets all forms from the current web page and generates a series of key-value pairs from all named input fields. This data, containing the name and value of every form field on the page, is then base-64 encoded and submitted to a URL along with the URL of the current web page.
Using this script, the hackers were able to capture usernames and passwords of company customers and employees as they submitted the login form. Eventually the hackers captured credentials from employees who had used the same password for their company email accounts and the hackers gained access to company emails and used those accounts to launch further spear-phishing attacks.
At the time of writing, all of the malicious URLs and scripts listed above have been taken offline.