Another tactic is to distribute malware by disguising it as a legitimate jQuery plugin. This can be done by modifying an existing plugin or by creating a new one that appears to offer useful functionality, but actually contains malware.
To protect against jQuery malware, it is important to keep all software, including jQuery and any plugins, up to date with the latest security patches. Additionally, it is a good idea to use a reputable antivirus software and to be cautious when downloading and installing plugins or other software from untrusted sources.
- Containment: Once the incident has been identified, steps should be taken to contain the malware and prevent it from spreading further. This can include isolating affected systems, disabling network connections, and shutting down affected services. This also includes identifying and blocking the source of the malware.
- Analysis: Once the malware has been contained, it should be analyzed to determine its capabilities and behaviors. This can include identifying the type of malware, the data it is collecting and exfiltrating, and the systems and networks it has infected.
- Eradication: The next step is to remove the malware from the affected systems. This can be done by manually removing the malicious code or by using specialized malware removal software. Additionally, the system should be scanned to ensure that all malicious code has been removed.
- Recovery: After the malware has been removed, steps should be taken to recover the affected systems and data. This can include restoring backups, reinstalling software, and reconfiguring systems.
- Lessons learned: The final step is to conduct a post-incident review to identify what went wrong and what can be done to prevent similar incidents from happening in the future. This can include updating incident response plans, implementing new security controls, and providing additional training to employees.
It’s also important to keep in mind that incident response is an ongoing process, and organizations should regularly review and update their incident response plans to ensure they are prepared to respond to new types of attacks.
Malicious Code :
Kim used the cyberchef tool to decipher the numbers above.
As illustrated in the above image, the decoded data appears unreadable. Kim , noticed something ! There is a comma between each number.
Now delimiter has set to comma in the from charcode function in cyberchef.
Still no luck , You just see the scrambled data. Its time to change the base number to either smaller or larger. When changing the base from 0 to 37 , Kim found interesting results in Base 10.
Yes now can see the actual payload !!! Hold on !! Look at the numbers again looks like attacker uses double obfuscation. Lets decode it as well.
Above decoded figure shows , domain name https://record[.]findtrustclicks.com/state[.]js?v=2.6.6 , checking the results in Virustotal.
Malicious codes has been eradicated for clients and plugin used by clients has not been updated for a long time which has been the fundamental cause of this incident.
Free exercise for my friendly SOC/ IR audience. while we are investigating this case we found another interesting malicious Jquery decode this !!! Please decode it and let me known the results here or in our LinkedIn page.
Happy Hunting !!!