Reflow JavaScript backdoor

After investigating a compromised device, researchers were able to extract some scripts left behind by the attackers. These scripts are a Windows backdoor written in JavaScript and some C&C backend instructions. These were located in the running process named “wscript.exe”, which is a legitimate Windows program.

At first, researchers didn’t manage to find anything about the attacker’s code, but after running some in-depth searches, they got results. The results they got showed three hits to matching files that were deleted back in December 2017.
It was found out that the same code is present in four main scripts: 3 PHP and 1 JavaScript files located on a web server. The web server may be attacker-controlled or compromised. The main script, index.php, contains an SVG animation that runs everytime a visitor happens to visit the page. This SVG animation script is nothing more than a “reflow” malicious JavaScript file disguised PNG file that is sent to the victim PC to drop the backdoor script.

It is essential for every user and company to add extra measures of cybersecurity. Every user must use only the best cybersecurity solution like an antivirus for Windows or antivirus for Mac depending on which OS their device is running. Also, every company must go an extra step to obtain the best cybersecurity measure; this can be done by hiring a cybersecurity firm that will attack purpose company’s network to reveal the most destructive and dangerous flaws.

This kind of deliberate attacks is done through specialized cybersecurity tests like penetration test and ethical hacking tests.

At first, the malicious script uses WMI to gather the system Information then sends that info back as part of its authentication method. The script then runs an endless loop waiting for commands such as upload, download, and execute.
This infinite loop script contains multiple functions. The “mAuth” function generates short random strings, concatenates them along with the system info and passes that to the C&C in a cookie after Base64-encoding it. These random strings are essential as they are used as markers to identify instructions contained between them.

Data is transmitted back to the C&C using AJAX. There’s a function called “FillHeader” that populates the HTTP header.
Performing a Base64-decode on the cookie value results in the 2nd line. Repeating the Base64-decode on the string after the second caret reveals the system info.
One of the PHP scripts is located inside a template which is modified with HTML code to make the page look legitimate. The script is renamed and referenced by the index.php script. The PHP script has all the functions responsible for uploading and downloading files as well as creating activity logs. In the log files are victim’s IP addresses, what files have been uploaded and downloaded, session information, etc.

The “Authentication” function operates like this: it reads in the cookie value from victims and send out the system info, and defines variables used to create the log filenames. The victim’s username and computer name are MD5-hashed and used as part of the log filenames.

The last PHP script is used to interact with and send commands to the victim PCs.
The available commands are limited but are more than enough to upload additional, more powerful tools to the victim PC and gain further access into their network.
Another set of commands built into this script are used as protection measures taken by the attackers. If they are about to be discovered, they can delete all the relevant log files.

Because we want you to stay safe and secured in front of vulnerabilities like this, we recommend implementing a robust cybersecurity solution into your devices like an antivirus for windows or antivirus for mac depending of which OS are your machines running. We also suggested that every company must hire a specialized cybersecurity firm that will perform various tests like a penetration test and various ethical hacking tests on company’s network to reveal if any network flaws are present.
For companies that exist 100% online, we recommend the using of cyber-secured web hosting services.