- Researchers found more than 35,000 compromised websites
- Sites were carrying malicious code that took over the browser window
- Visitors were being served casino landing pages
More than 35,000 websites have been compromised in a major hacking campaign that saw users redirected to malicious pages, or possibly even served malware, experts have warned.
A report from cybersecurity researchers at c/side, did not detail who the attackers are, other than saying they could be linked to the Megalayer exploit.
They also did not discuss how the threat actors managed to compromise these tens of thousands of websites, but once the attackers gained access, they used it to inject a malicious script from a list of websites.
Hiding from researchers
“Once the script loads, it fully hijacks the user’s browser window – often redirecting them to pages promoting a Chinese-language gambling (or casino) platform,” the researchers explained.
The attackers are most likely Chinese, since they’re coming from regions where Mandarin is common, and since the final landing pages present gambling content under the Kaiyun brand.
The tens of thousands of compromised websites were serving a few variants of gambling landing pages, it was explained. Some IPs and regions were being served a static page, saying access is blocked. This, the researchers believe, is to prevent security researchers from discovering the attack.
C/side believes the campaign is related to the Megalayer exploit, since it’s known for distributing Chinese-language malware, contains the same domain patterns, and the same obfuscation tactics.
To protect websites against these exploits, c/side advises IT teams to audit their source code, and block malicious domains, or use firewall rules for zuizhongjs[.]com,
p11vt3[.]vip, and associated subdomains. They should also monitor logs for unexpected outgoing requests to these domains, check for unauthorized modifications, restrict scripts to only trusted domains with a well-defined CSP, and frequently scan the sites with tools like PublicWWW or URLScan.
Leave a comment