BleepingComputer's analysis shows that every 10 seconds, the backdoor script connects to a remote command and control (C2) server to receive one or more tasks to perform on the affected system. Once users execute the payload, a PHP script runs quietly in the background.
Malwarebytes detects them as .Īs of Wednesday, popper.js is free of malicious code. These executables were written in Python. The same IP also hosts the illicit domain the payloads were downloaded from. Firefox users get "installer.exe." There is no indication if browsers based on Chromium (where Chrome is based) or Quantum (where Firefox is based) could also receive the payloads.īleepingComputer has independently confirmed the payloads connect to an IP address hosted by Alibaba in China. Chrome users get a payload named "update.exe" with a valid signature from Sichuan Niurui Science and Technology. "So different browsers get different payloads," says Ullrich. The two payloads are for two specific browsers visitors typically use, Chrome and Firefox. Update.js also contains two hard-coded download URLs, both served on the malicious domain infoamanewonliagonline.
Because almost every page within the eForm website loads it, the malicious activities we mentioned are triggered every time a user visits any site page. Popper.js is a legitimate file modified to do malicious tasks. update.js contains code used to display the fake error page. Its purpose is to load another JS script called update.js hosted on an Amazon Web Services (AWS) site. Known figures in cybersecurity, such as MalwareHunterTeam ( and Johannes Ullrich ( of SANS, caught wind of the potential site compromise and dug in, with each writing their analysis.Īccording to both MalwareHunterTeam and Ullrich, a malformed JS file named popper.js contains encrypted malicious code-meaning it cannot be read plainly. (Source: /u/SaltyPotter, original image cropped to fit) This made Redditors suspect the domain was hijacked. Uncharacteristically, it told visitors to update their browsers. This fake error message used to come up when visiting the domain. The page, as shown below, informed visitors their browser "uses an unsupported protocol," and that they need to click the link it provided to them to update their browser-a known tactic often used by scammers. A Reddit user encountered a fake "Network Error" page when accessing. The incident first arose as a possibility that something might be up with the website. Note this security incident only concerns, not the IRS' e-file infrastructure and other similar-sounding domains.Īs of this writing, is clean.
The IRS-authorized electronic filing service for tax returns,, has been caught serving a couple of malicious JavaScript (JS) files these past few weeks, according to several security researchers and corroborated by BleepingComputer.
0 kommentar(er)
