- The researchers found more than 35,000 websites committed
- The sites carried a malicious code that took over the browser window
- Visitors were attended to the destination pages of Casino
More than 35,000 websites have been committed to an important piracy campaign that saw users redirected to malicious pages, or possibly they even served as malware, experts warned.
A report by cybersecurity researchers in C/Side, did not detail who the attackers are, apart from saying that they could be linked to Megalayer’s exploit.
Nor did they argue how the threat actors managed to compromise these tens of thousands of websites, but once the attackers got access, they used it to inject a malicious script of a list of websites.
Hide from researchers
“Once the script is loaded, the user’s browser window is completely kidnapped, often redirecting them to pages that promote a Chinese gaming (or casino) platform,” the researchers explained.
It is very likely that the attackers will be Chinese, since they come from regions where the Mandarin is common, and since the final destination pages have game content under the Kaiyun brand.
It was explained that the tens of thousands of compromised websites served some variants of random game destination pages. Some IP and regions attended a static page, saying that access is blocked. This, researchers believe, is to prevent security researchers from discovering the attack.
C/SIDE believes that the campaign is related to the exploit of the Megalaya, since it is known for distributing malware in Chinese language, it contains the same domain patterns and the same obfuscation tactics.
To protect the websites against these exploits, C/SIDE advises the IT teams to audit their source code, and block malicious domains, or use Firewall rules for Zuizhongjs[.]com,
P11VT3[.]VIP and associated subdomains. You must also monitor records to obtain unexpected outgoing applications to these domains, verify unauthorized modifications, restrict scripts to only trusted domains with a well -defined CSP and frequently scan the sites with tools such as publicwww or URLSCAN.
