https://unit42.paloaltonetworks.com/malicious-javascript-using-jsfiretruck-as-obfuscation
Cybersecurity researchers have uncovered a large-scale malware campaign that compromised more than 269,000 legitimate websites in just one month using a sophisticated JavaScript obfuscation technique dubbed “JSFireTruck.” The campaign, which peaked on April 12 with over 50,000 infected web pages detected in a single day, represents one of the most extensive website compromise operations observed this year, targeting visitors who arrive at infected sites through popular search engines.
The malicious JavaScript injections employ an advanced obfuscation method based on JSFuck, an esoteric programming style that uses only six characters to write executable code. Palo Alto Networks Unit 42 researchers coined the term “JSFireTruck” for this particular implementation, which primarily uses the symbols [, ], +, $, {, and } to hide the code’s true purpose and hinder security analysis. The obfuscated malware is designed to check the document referrer to determine how visitors arrived at the compromised website, specifically targeting users who came from major search engines including Google, Bing, DuckDuckGo, Yahoo, and AOL.
When the malware detects that a visitor originated from a search engine, it automatically redirects them to malicious URLs that can deliver additional malware, exploits, traffic monetization schemes, and malvertising campaigns. This selective targeting approach allows the attackers to maximize their impact while potentially evading detection from security researchers who might visit the sites directly rather than through search engine results. The widespread nature of these infections suggests a coordinated effort to transform legitimate websites into attack vectors for further malicious activities.
The discovery coincides with separate research revealing a sophisticated Traffic Distribution Service called HelloTDS, which operates through similar methods by injecting remotely-hosted JavaScript code into compromised websites. This parallel campaign demonstrates how cybercriminals are increasingly leveraging legitimate website infrastructure to distribute malware, fake CAPTCHA pages, tech support scams, and cryptocurrency frauds.