To decrypt it, we need to tweak the code a little bit so that the evil script reveals its true nature - as opposed to silently executing the payload. Some of these techniques have already been discussed in this blog. The threat is using a mixture of Codebook, XOR and substitution ciphering as well as the traditional character representation tricks to hide the malicious content. Our sample today is a 6KB obfuscated JavaScript that by the end turns into a single iframe pointing to a malicious site.
In this blog we will analyze a sample with 5 different obfuscation layers using a few tricks to fool automated de-obfuscation engines. To avoid detection, they are using more and more complex obfuscation techniques.
Most compromised HTML documents contain a JavaScript that generates the malicious content dynamically to make it less obvious what it is doing. Nowadays infected Web pages are probably the biggest threat to the IT sector.
0 kommentar(er)
