Security researchers at Unit 42 have discovered an ongoing JavaScript injection campaign that has infected over 51,000 websites.
Victims are redirected to malicious content such as adware and scam pages, with the attackers using obfuscation and benign append attacks to bypass detection.
The campaign is multifaceted and performs multiple-step injections before redirecting to malicious pages. The attackers use various techniques to evade detection, including appending code to large benign files, multistep injections, and obfuscation.
The researchers estimate that the campaign has impacted a large number of people since hundreds of infected websites were ranked among Tranco’s top million websites. The first instance of the campaign was observed in 2020, and the latest variants were tracked between January 2022 and 2023. The malware has been detected on approximately 170,000 URLs from 51,000 hostnames since the beginning of 2022, with the campaign peaking between May and August 2022, when researchers spotted an average of 4,000 daily URLs.
The researchers suspect that a large number of websites may have been compromised due to vulnerable content management system plugins.
Around three-fourths of the 51,000 exploited websites were using a popular, unnamed CMS.
The injected malicious JS code was included on the homepage of more than half of the detected websites, with attackers using a common tactic of injecting malicious JS code on frequently used JS filenames that are likely to be included on the homepages of compromised websites.
The attackers’ ultimate goal appears to be to redirect victims to scam pages, mostly masquerading as a well-known video-sharing platform, or deceptive content that tricks victims into allowing an attacker-controlled website to send browser notifications. The researchers blocked around 240,000 sessions from these websites across 14,773 devices in January 2023 alone.
