- Researchers find more than 150,000 committed websites
- The websites carried malware that superimposed them with malicious fate pages
- Web administrators are advised to audit their code
Security researchers C/SIDE recently reported in an important campaign to kidnapping websites, in which unidentified threat actors took more than 35,000 websites and used them to redirect visitors to malicious pages and even serve malware.
Now, a month later, the team said that the campaign has extended even more and now compromises the amazing 150,000 websites.
C/SIDE believes that the campaign is related to the exploit of the Megalaya, since it is known for distributing malware in Chinese language, it contains the same domain patterns and the same obfuscation tactics.
Open redirections
While the method changed slightly, and now comes with a “slightly renewed interface”, the essence remains the same, since the attackers use Iphrame injections to show full screen overlap in the visitor’s browser.
The entertainment show was passed through websites of legitimate bets or false absolute play pages.
C/Side did not detail who the attackers are, apart from saying that they could be linked to Megalayer’s exploit.
It is very likely that the attackers will be Chinese, since they come from regions where the Mandarin is common, and since the final destination pages have game content under the Kaiyun brand.
Nor did they argue how the threat actors managed to compromise these tens of thousands of websites, but once the attackers got access, they used it to inject a malicious script of a list of websites.
“Once the script is loaded, the user’s browser window is completely kidnapped, often redirecting them to pages that promote a game platform (or casino) in the Chinese language,” the researchers explained in the previous report.
To mitigate the risk of acquisition of the website, C/SIDE says that web administrators must audit their source code, block malicious domains or use firewall rules for Zuizhongjs[.]com, P11VT3[.]VIP and associated subdomains.
It would also be advisable to monitor the records for applications for unexpected projection to these domains.
