Unit 42 researchers analyze malicious JavaScript used on phishing and skimming pages to steal passwords, credit card data, and other secrets via chat and survey APIs. The report details evasion tactics such as obfuscation, unusual DOM interactions, and selective payload detonation, along with practical defenses. #Unit42 #PaloAltoNetworks #JavaScript #Exfiltration #Skimmers #Phishing #ChatAPIs #SurveyAPIs #AustralianFootballer #AdvancedWildFire #AUF #CortexXDR
Keypoints
- Malicious JavaScript samples exfiltrate passwords and other sensitive data via compromised sites, including skimming and phishing pages.
- Attackers abuse chat and survey REST APIs to exfiltrate credential data to attacker-controlled endpoints.
- Exfiltration techniques include obfuscation, dynamic HTML generation, and multi-layer unpacking to evade static and dynamic analysis.
- Some payloads use unusual DOM elements (e.g., img, script, object) and encode domains to hide exfiltration activities.
- Malware can藏 refuses to detonate in sandbox or for security crawlers, complicating dynamic analysis and detection.
- JavaScript taint-tracking and mixed static/dynamic analysis help reveal information flows and exfiltration paths.
- Indicators of compromise include multiple SHA-256 hashes tied to the referenced samples and documented exfiltration endpoints.
MITRE Techniques
- [T1566] Phishing – Attackers deploy traditional phishing pages and skimmers to collect credentials from victims on compromised hosting and via shared endpoints. Quote: “In traditional phishing cases… detection of the credential collection point” and “skimming pages are hosted exactly where they are supposed to be”.
- [T1567.002] Exfiltration to Web Service – Data stolen is sent to attacker-controlled endpoints via chat platform REST APIs and other public APIs. Quote: “This sample uses a chat platform’s REST API to exfiltrate the data after it is stolen.”
- [T1027] Obfuscated/Compressed Files and Information – Use of obfuscation, multi-layer unpackers, and avoidance of static/dynamic analysis. Quote: “obfuscation is also a well-known technique… continue to allow information stealers to evade detection.”
- [T1059.007] JavaScript – Dynamic code execution for payload delivery, including use of eval to obfuscate payloads. Quote: ” threat authors will execute code with eval, which is a dynamic code generation function that attackers can use to obfuscate the true payload.”
- [T1497] Virtualization/Sandbox Evasion – Malware checks for execution environment and anti-analysis artifacts, refusing to detonate when under analysis or by security crawlers. Quote: “checks for artifacts in the execution environment” and “refuse to detonate if it is under analysis by a security crawler.”
Indicators of Compromise
- [Hash] Malware sample hashes – bf3ab10a5d37fee855a9336669839ce6ad3862ad32f97207d4e959faaba0a3ed, 13429eebb74575523b242e16b51eacf287a351c6de04557ec3cc343812aae0cb, and 4 more hashes
Read more: https://unit42.paloaltonetworks.com/malicious-javascript-steals-sensitive-data/