Why has injecting malicious code into jQuery become so trendy?
An example of typical non-malicious jQuery code:
In addition, developers usually use jQuery libraries as a plug-and-play product, which doesn't require maintenance apart from library updates.
Because jQuery libraries are minified and infrequently reviewed by those using them, jQuery becomes a good place to hide malicious code. Such malicious code usually attempts to deliver malware to as many users as possible.
Here's an example that shows hidden malicious code in an infected variant of the jQuery library:
To give you some perspective of the scope of this trend, below is a snippet from the list of variants of the jQuery libraries that were injected with malicious code within the last 24 hours of us writing this post:
While inspecting some of the infected libraries, we found several campaigns that chose the approach of fooling less tech-savvy users into installing fake software updates. This approach eliminates the "headache" associated with the "exploit kit approach," which is based on exploiting vulnerabilities in the environment of the users.
Here's a fake Adobe Flash Player update page coming from a malicious campaign injected into a jQuery library:
After a quick inspection of the downloaded malware, we saw that it was developed using AutoIt which is a scripting language designed for automating the Windows GUI. The key parts of this compiled AutoIt script are:
- Send the victim's IP address to the C&C.
- Download additional executable, "flashplayer2.exe"
Flashplayer2.exe opens a LISTENING port on the machine providing a remote control capability for the C&C.
We hear a lot about various techniques and vulnerabilities used to inject malicious code into webpages. Sometimes, for the attackers, the focus is not on how to get the code there, but how to hide it in order to keep it there for as long as possible. It seems that as of late injecting malicious code into jQuery is one of attackers' favorite methods for doing so.
Make sure every piece of code in your web application is frequently reviewed/scanned, including scripts/libraries and plug-and-play product extensions. This can be achieved by using a file system monitoring tool that ensures no changes occur.
Enable automatic updates for every software or plugin you choose to use, rather than having your browser prompting you to install the updates. In addition, always verify your version with the product vendor's website –as for Adobe Flash Player you can use this link.
Trustwave's Secure Web Gateway engines blocks this attack out-of-the-box without any additional updates.
This blog was co-authored by Rami Kogan and Ben Hayak.