Cybersecurity researchers have uncovered a widespread campaign compromising legitimate websites with malicious JavaScript injections.
The injected code, obfuscated using JSFuck, hides its true purpose, hindering analysis.
The campaign has infected over 269,000 web pages between March and April, with a significant spike in April.
The injected code redirects victims to malicious URLs if the referrer is a search engine, delivering malware, exploits, and malvertising.
Further analysis has revealed the use of JSFireTruck obfuscation in injected code to redirect victims to malicious content.
Additionally, a new Traffic Distribution Service named HelloTDS has been introduced to conditionally redirect visitors to various malicious pages.
The HelloTDS infrastructure employs sophisticated fingerprinting techniques to selectively target victims and serve malicious content.
Attack chains orchestrated by HelloTDS have been found to serve fake CAPTCHA pages that trick users into running malicious code.
HelloTDS utilizes domains like .top, .shop, and .com to host JavaScript code and trigger redirections based on user characteristics.
This infrastructure demonstrates attackers’ evolving tactics to evade detection and target victims with precision.
