Monday, March 4, 2024

Hackers Inject Weaponized JavaScript (JS) on 51,000 Websites

Researchers from Unit 42 have been monitoring a widespread campaign of harmful JavaScript (JS) injections. The campaign aims to redirect unsuspecting victims to dangerous content, including adware and fraudulent pages.

Websites continue to be infected by this threat in 2023, as it was active throughout 2022. The malicious JS code was discovered on over 51,000 websites, with several hundred appearing in Tranco’s top 1 million ranked websites.

The potential impact of this campaign is significant, as the presence of affected websites in Tranco suggests a widespread reach.

The campaign’s complexity lies in its multi-stage injection process, which precedes redirecting harmful web pages as an additional means of evading detection, obfuscation, and benign append attacks were employed.

Impact of the campaign on user

Experts have identified multiple versions of a campaign involving malicious JS code injection into websites by threat actors. During the year 2020, the campaign was observed for the first time.

170,000 URLs and 51,000 hostnames have been identified as part of this campaign since its inception in 2022.

A peak of over 4,000 daily URLs was generated as a result of this campaign between May and August 2022. 

The impact of this campaign has been substantial, with hundreds of infected websites appearing in Tranco’s top one million ranked sites, indicating a potentially wide reach among internet users.

In January 2023, approximately 240,000 website sessions were prevented across 14,773 devices due to blocking measures taken against these websites.

Technical analysis

A malicious payload was hidden in the injected JS code, which was obfuscated to bypass detection and remain undetected. A malicious JS is loaded from a URL obscured by the obfuscated code. 

As part of the code, the malicious JS is dynamically added to the DOM structure, which is also included in the code.

On certain websites, obfuscated JS snippets have been found to be injected into commonly used utility JS files, as per observations. Appending malicious code to extensive sections of benign code, also called a benign append attack, is a common tactic malware authors employ.

It can be used by malware authors to avoid detection by security crawlers and remain undetected. In each JS code snippet, the injected JS code appends external malicious JS code through DOM manipulation.

A malicious payload can be changed in this manner, providing the attacker greater flexibility. In its more recent version, this campaign injects malicious JS code into a website for malicious purposes.

Upon executing the final payload, users are redirected to various websites before reaching a destination webpage, often consisting of adware or a fraudulent page.

This page displays false information that may deceive individuals into granting permission for a malicious website to send browser notifications under the control of an attacker.

The researchers at Unit 42 believe that many websites are susceptible to security breaches due to vulnerabilities in one or more CMS plugins.

The researchers at Sucuri have discovered that exactly the same technique was used to exploit CMS plugins in a similar campaign. The threat actors responsible for creating malware have produced multiple variations of the harmful JavaScript code they injected into websites during this campaign.

Detecting different variants of the same attack is a robust characteristic of deep learning techniques often used to detect intrusions.

In order to prevent malicious JS injections, deep learning techniques could be applied to increase the detection rate.

Searching to secure your APIs? – Try Free API Penetration Testing


Latest articles

US Court Orders NSO Group to Handover Code for Spyware, Pegasus to WhatsApp

Meta, the company that owns WhatsApp, filed a lawsuit against NSO Group in 2019....

New SSO-Based Phishing Attack Trick Users into Sharing Login Credentials  

Threat actors employ phishing scams to trick individuals into giving away important details like...

U.S. Charged Iranian Hacker, Rewards up to $10 Million

The United States Department of Justice (DoJ) has charged an Iranian national, Alireza Shafie...

Huge Surge in Ransomware-as-a-Service Attacks targeting Middle East & Africa

The Middle East and Africa (MEA) region has witnessed a surge in ransomware-as-a-service (RaaS)...

New Silver SAML Attack Let Attackers Forge Any SAML Response To Entra ID

SolarWinds cyberattack was one of the largest attacks of the century in which attackers...

AI Worm Developed by Researchers Spreads Automatically Between AI Agents

Researchers have developed what they claim to be one of the first generative AI...

20 Million+ Cutout.Pro User Records Leaked On Hacking Forums

CutOut.Pro, an AI-powered photo and video editing platform, has reportedly suffered a data breach,...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Live Account Takeover Attack Simulation

Live Account Take Over Attack

Live Webinar on How do hackers bypass 2FA ,Detecting ATO attacks, A demo of credential stuffing, brute force and session jacking-based ATO attacks, Identifying attacks with behaviour-based analysis and Building custom protection for applications and APIs.

Related Articles