In January 2021, Group-IB analysts came across a new JS sniffer family. While analyzing two infected websites, they found two similar samples that used unusual anti-detection techniques. Both samples had a unique hash for each request: when a victim visited an infected online store, the JS sniffer injector uploaded the JS sniffer main script, which represented a unique sample with unique obfuscated data and the names of all variables and functions.
In one of the samples, the threat actor used time-based obfuscation: part of the key in the obfuscation mechanism was the value of the minutes when the attacker's website, which hosted the JS sniffer payload, received the request. After analyzing the code and studying the deobfuscation logic, Group-IB analysts found that both samples were similar and only differed by the gates for collecting stolen credentials. Both samples analyzed belonged to the JS sniffer family that Group-IB named E1RB. Judging from the code specificities, this JS sniffer family is based on Grelos JS sniffer family, used by many cybercriminal groups. ...read more!
