If you look at the malicious code above, you will find many malicious JAR files loaded through applets, followed by a large chunk of random text inside the ‘div’ tag, which is hidden. If someone visits this webpage, he/she will only see text labeled “Loading….”. Meanwhile, the malicious code is downloading the various JAR files and may additionally download other malicious files. An interesting fact about this code comes from the random text inside the ‘div’ tag. Initially, the purpose of the random text was unclear. I later identified another example of code using exactly the same ‘div’ tag. At that point I assumed that it wasn’t entirely random afterall. Let’s open the source code of the “js.php” file and take a look:
That’s it for now.