Threat Research

JSFireTruck: Exploring Malicious JavaScript Using JSF*ck as an Obfuscation Technique

Unit42
JSFireTruck: Exploring Malicious JavaScript Using JSF*ck as an Obfuscation Technique
EXTRACT IOC
A large-scale campaign is compromising legitimate websites by injecting obfuscated JavaScript using the JSFireTruck technique, redirecting users from search engines to malicious pages that deliver malware and unwanted content. The campaign affects hundreds of thousands of webpages and employs type coercion-based obfuscation, making detection and analysis challenging. #JSFireTruck #Unit42 #VirusTotal

Keypoints

  • A widespread campaign injected obfuscated JavaScript using JSFireTruck into over 269,000 webpages between March and April 2025.
  • The JSFireTruck obfuscation relies on six characters ([]()!+) and JavaScript type coercion to hide malicious code.
  • The injected script checks if users arrive via search engines and then redirects them to malicious URLs through hidden iframes covering the entire browser window.
  • This technique is used to serve malware, conduct malvertising, traffic monetization, clickjacking, and phishing attacks.
  • The obfuscation is easily detectable due to its repetitive character set despite being difficult to analyze.
  • Palo Alto Networks updated their security models and services such as Advanced WildFire, Advanced URL Filtering, and Cortex Cloud to detect and block these threats.
  • Indicators of compromise include multiple SHA256 hashes of injected scripts found on infected webpages.

MITRE Techniques

  • [T1185] Man-in-the-Browser – Injected JavaScript manipulates webpages to redirect users invisibly using iframes (“the script will use the random ElementID present inside the page and add an iframe containing the malicious domain”).
  • [T1059.007] JavaScript – Obfuscation utilized via JSFireTruck technique to evade detection by converting symbols into ASCII characters through type coercion (“The injected JavaScript code with JSFireTruck obfuscation uses a limited set of characters and numbers”).
  • [T1499] Endpoint Denial of Service – Use of overlapping iframes that cover the entire browser window prevents user interaction with legitimate content (“iframe will cover the entire browser window and hide the original content”).
  • [T1204] User Execution – Redirect users from search engines using injected scripts that depend on the document.referrer (“The injected code checks the website referrer, and if the referrer is a search engine, the code redirects victims to malicious URLs”).

Indicators of Compromise

  • [SHA256 Hashes] examples of webpages with injected JSFireTruck scripts – 03ba72c2b7b0e2a9c459b95646b4301840ae66b87de47d1117a44e2d2d3e3584, 044cb5f61172adb60a8bca0a7addadb6bb69107a4916057338c6578aa846b057, and 23 more hashes.

Read more: https://unit42.paloaltonetworks.com/malicious-javascript-using-jsfiretruck-as-obfuscation/

Views: 31

Tags: CLOUD, CVE, DNS, HUNTING, PHISHING, SPAM, SPOOFING, SQL INJECTION