Here’s a Stealer javascript injected into a website to steal users information. It is embedded in a HTML file.
The script is loaded on this website: "nocturnamodels(.)com/en/
But it won’t be injected just by visiting this page.
To reproduce the detection, visit the website, add an item to the cart and then click on proceed to checkout. When it is clicked, a script is injected into the webpage which is malicious. The script is in the HTML named “pedido”. Avast at the moment does not detect it.
I’m attacking a screenshot. The last line in the file shown here is the obfuscated malicious code.
Here’s a Virustotal link of the HTML. It’s already detected by many other AV products. I also tested in a VM and Bitdefender, ESET, Kaspersky are able to successfully block it.
The script may vary slightly each time, so the hash may not always be the same. So a hash based detection will not be recommended, I think.
The script is obfuscated. Create a heuristic detection for it if possible to detect similar scripts in the future.
It has to be detected on the browser. It only works on browser level. Any personal information like credit card info put on the page will get stolen by the attacker. An Avast analyst need to reproduce the issue on their end like I explained above and take proper measure to block it.
You can find more details about this here on the ESET forum:
Note: If any Avast employee or mods have a quicker access to the analysts, then please send this to them quickly to protect potential victims using Avast.
I already submitted this twice to Avast. Once I sent the javascript I extracted from the html file and sent them and also sent a de-obfuscated version of the script with it. Avast added file based detection for them. Another time I sent the HTML file which has the script embedded in it and got a reply that a detection has been added, but in reality there is no detection. So maybe they misunderstood what I explained.
So I’m sharing here in details so that it’s easier to understand, since Avast still does not detect it.
My bad. I’ve fixed it. Simply visiting the site is safe but yeah, I should not share clickable link.
Yeah, it was submitted on the form you posted. Normal submission didn’t work in favor of adding detection. So I used the false positive form to submit and also got positive replies both times as I explained above. But Avast doesn’t detect it yet.
It’s not about blacklisting the website, it’s a javascript that is injected in the checkout page if items are added into the cart. I explained it in my post and even posted a Virustotal link.
As I said, the host itself is not malicious or blacklisted by anyone. Once you do what I said about reproducing, the script will be injected into the page. The virustotal link in my post is the HTML file with embedded javascript in it which is detected by products like BD, Kasper, ESET. I tested each product first hand in my VM.
Retire.js
bootstrap 3.2.0 Found in
htxps://nocturnamodels.com/themes/theme1206_version2/cache/v_40_ce50539bf6f2daecd7f59864643974c7.js * _____Vulnerability info:
Medium 28236 XSS in data-template, data-content and data-title properties of tooltip/popover CVE-2019-8331 1
Medium 20184 XSS in data-target property of scrollspy CVE-2018-14041 1
Medium 20184 XSS in collapse data-parent attribute CVE-2018-14040 1
Medium 20184 XSS in data-container property of tooltip CVE-2018-14042 1
Medium XSS is possible in the data-target attribute. CVE-2016-10735 1
jquery-migrate 1.2.1 Found in hxtps://nocturnamodels.com/themes/theme1206_version2/cache/v_40_ce50539bf6f2daecd7f59864643974c7.js _____Vulnerability info:
Medium 11290 Selector interpreted as HTML 12
jquery 1.11.0 Found in hxtps://nocturnamodels.com/themes/theme1206_version2/cache/v_40_ce50539bf6f2daecd7f59864643974c7.js _____Vulnerability info:
Medium 2432 3rd party CORS request may execute CVE-2015-9251 1234
Medium CVE-2015-9251 11974 parseHTML() executes scripts in event handlers 123
Medium CVE-2019-11358 jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, …) because of Object.prototype pollution 123
Medium CVE-2020-11022 Regex in its jQuery.htmlPrefilter sometimes may introduce XSS 1
Medium CVE-2020-11023 Regex in its jQuery.htmlPrefilter sometimes may introduce XSS 1
nextjs 10.2.3 Found in hxtps://platform.twitter.com/_next/static/chunks/modules.20f98d7498a59035a762.js _____Vulnerability info:
Medium Improper CSP in Image Optimization API CVE-2022-23646 1
High Unexpected server crash in Next.js versions CVE-2021-43803 1
Medium XSS in Image Optimization API CVE-2021-39178 1
Medium Open Redirect in Next.js CVE-2021-37699 1
Avast has hugely disappointed me at this. I submitted this to Avast 7-8 times since my post here and got reply most of the times.
Most of the replies were that a detection has been added. One time got a weird reply saying that the script isn’t loaded by the site anymore, but if it does, it will be detected by Avast. The last statement is absolutely incorrect. I checked when I got that reply and checked again tonight a couple of hours ago. It’s still present there.
The detections Avast created were all just file hash based signatures, which is useless here. I told them every time not to do that but that’s what they did anyway. The hash being different each time meaning Avast can’t do anything to protect users from this. I tried putting fake credit card info on that site, but there was no peep from Avast. Extremely disappointing. Bitdefender, ESET, Kaspersky remains the 3 products that can protect users from this one.
Good find. Things like this are reported on the ESET forum a lot. In my experience, they are the best at detecting suspicious javascript, sometimes a bit too aggresive. You may wanna keep an eye on their “Malware Finding and Cleaning” section of the forum to learn more about similar things.
To this day, Avast can’t detect this. The malicious script that is injected is not always the same. So Avast has to emulate it by their script analyzer to detect it on the browser. Does Avast not emulate scripts embedded into website’s HTML? I read an old Avast tech doc which implied that they can. Then how come they can’t detect even after my multiple submissions?
If someone here can forward this to the Avast team via support or via other official/unofficial Avast mod then that would be ideal.