{"id":25658,"date":"2025-01-09T06:10:07","date_gmt":"2025-01-09T14:10:07","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2025\/01\/09\/news-19381\/"},"modified":"2025-01-09T06:10:07","modified_gmt":"2025-01-09T14:10:07","slug":"news-19381","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2025\/01\/09\/news-19381\/","title":{"rendered":"GroupGreeting e-card site attacked in \u201czqxq\u201d campaign\u00a0"},"content":{"rendered":"\n<p><em>This article was researched and written by Stefan Dasic, manager, research and response for <a href=\"https:\/\/www.threatdown.com\/\" target=\"_blank\" rel=\"noreferrer noopener\">ThreatDown, powered by Malwarebytes<\/a><\/em><\/p>\n<p>Malwarebytes recently uncovered a widespread cyberattack\u2014referred to here as the \u201czqxq\u201d campaign as it closely mirrors NDSW\/NDSX-style malware behavior\u2014that compromised GroupGreeting[.]com, a popular platform used by major enterprises to send digital greeting cards.&nbsp;&nbsp;<\/p>\n<p>This attack is part of a broader malicious campaign that takes advantage of trusted websites with high traffic, especially those that could experience a spike in visitors during busy seasons like the winter holidays. That includes greeting card websites, like GroupGreeting[.]com, that allow users to send group e-cards for birthdays, retirements, weddings, and, of course, holidays like Christmas and New Year\u2019s.&nbsp;&nbsp;<\/p>\n<p>According to public data, over 2,800 websites have been hit with similar malicious code. The seasonal increase in user interactions with greeting card sites provides ample opportunities for cybercriminals to quietly inject malware and target unsuspecting visitors.&nbsp;<\/p>\n<h2 class=\"wp-block-heading\" id=\"h-explaining-the-zqxq-malware\"><strong>Explaining the \u201czqxq\u201d malware<\/strong><\/h2>\n<p>Understanding this cybercriminal campaign requires a little bit of understanding of the web. Online today, nearly every single modern webpage uses a programming language called JavaScript. JavaScript allows developers to make interactive webpages, but it can also be vulnerable to attacks, as cybercriminals can \u201cinject\u201d pieces of JavaScript into a website that are not approved by the site\u2019s developers.&nbsp;<\/p>\n<p>At the core of this breach is an obfuscated JavaScript snippet designed to blend in with legitimate site files. Hidden within themes, plugins, or other critical scripts, the malicious code uses scrambled variables (e.g., zqxq) and custom functions (HttpClient, rand, token) to evade detection and hamper analysis.&nbsp;<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"380\" height=\"516\" src=\"https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2025\/01\/image.png\" alt=\"\" class=\"wp-image-147093\" \/><\/figure>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"830\" height=\"674\" src=\"https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2025\/01\/image_249e18.png\" alt=\"\" class=\"wp-image-147094\" \/><\/figure>\n<p>Despite its complexity, the malware performs some very typical functions seen in large-scale JavaScript injection campaigns:&nbsp;<\/p>\n<ul>\n<li><strong>Token generation and redirection<\/strong>. Generates random tokens (rand() + rand()) for queries or URLs, a technique often used in Traffic Direction Systems (TDS) to disguise malicious links.&nbsp;<\/li>\n<\/ul>\n<ul>\n<li><strong>Conditional checks and evasion<\/strong>. References properties in navigator, document, window, or screen to determine if the user has visited before, or to avoid re-infecting the same machine. This helps keep the campaign under the radar by reducing repeated alerts.&nbsp;<\/li>\n<\/ul>\n<ul>\n<li><strong>Remote payload retrieval<\/strong>. Uses an XMLHttpRequest (labeled as HttpClient in the code) to silently fetch further malicious scripts or to redirect visitors to exploit kits, phishing sites, or other malicious destinations.&nbsp;<\/li>\n<\/ul>\n<ol start=\"1\">\n<li><\/li>\n<\/ol>\n<h2 class=\"wp-block-heading\" id=\"h-overlap-with-ndsw-ndsx-and-tds-parrot-campaigns-nbsp\"><strong>Overlap with NDSW\/NDSX and TDS Parrot campaigns<\/strong>&nbsp;<\/h2>\n<p>Though Malwarebytes recently discovered the attack on GroupGreeting[.]com, the malware campaign bears similarities to another malware injection campaign that is referred to as both \u201cNDSW\/NDSX\u201d and \u201cTDS Parrot.\u201d&nbsp;<\/p>\n<p>According to security researchers from Sucuri, who label these attacks under the \u201cNDSW\/NDSX\u201d moniker, <a href=\"https:\/\/blog.sucuri.net\/2024\/09\/sitecheck-remote-website-scanner-mid-year-2024-report.html\" target=\"_blank\" rel=\"noreferrer noopener\">this campaign accounted for 43,106 detections in 2024<\/a>. Similar research was <a href=\"https:\/\/unit42.paloaltonetworks.com\/parrot-tds-javascript-evolution-analysis\/\" target=\"_blank\" rel=\"noreferrer noopener\">published by Unit 42<\/a>, which refers to the campaign as \u201cTDS Parrot.\u201d&nbsp;&nbsp;<\/p>\n<p>From these analyses, we can identify the following parallels to known <strong>NDSW\/NDSX<\/strong> or <strong>TDS Parrot<\/strong> malware campaigns:&nbsp;<\/p>\n<ul>\n<li><strong>Obfuscated redirect scripts<\/strong>. Much like NDSW\/NDSX, the zqxq script deeply obfuscates its variables, methods, and flow. The layering of functions (Q, d, rand, token) and the repeated usage of base64-like decoding are standard indicators of TDS JavaScript-based threats.&nbsp;<\/li>\n<\/ul>\n<ul>\n<li><strong>Traffic Distribution System behavior<\/strong>. After running checks (e.g., domain name, cookies), these scripts funnel traffic to external pages hosting additional malware payloads or phishing sites. This is precisely how TDS Parrot campaigns divert user traffic across multiple malicious domains to maximize infection rates.&nbsp;<\/li>\n<\/ul>\n<ul>\n<li><strong>Large-scale website infections<\/strong>. Both NDSW\/NDSX and the zqxq campaign have infected thousands of websites, suggesting a systematic approach\u2014possibly automated\u2014that exploits vulnerabilities in popular CMS platforms (like WordPress, Joomla, or Magento) or outdated plugins, similar to documented TDS Parrot behaviors.&nbsp;<\/li>\n<\/ul>\n<h2 class=\"wp-block-heading\" id=\"h-analysis-of-the-breach-and-why-groupgreeting-was-a-prime-target-nbsp\"><strong>Analysis of the breach and why GroupGreeting was a prime target<\/strong>&nbsp;<\/h2>\n<p>Cybercriminals hardly strike at random. Instead, the attack on GroupGreeting was likely coordinated because of its potential for success. Here are a few reasons why:&nbsp;<\/p>\n<ul>\n<li><strong>High-profile site<\/strong>. GroupGreeting boasts over 25,000 workplace clients, including major brands like Airbnb, Coca-Cola, and eBay, making it a lucrative target. Visitors are more inclined to trust links from a service they deem reputable.&nbsp;<\/li>\n<\/ul>\n<ul>\n<li><strong>Seasonal traffic spikes<\/strong>. During holidays and other high-traffic periods, the site sees a surge in e-card use. Cybercriminals exploit this surge to maximize the spread of redirects and malware.&nbsp;<\/li>\n<\/ul>\n<ul>\n<li><strong>Sophisticated persistence<\/strong>. Malicious code can hide in multiple files or within the database. Deleting one infected file may not remove all traces, allowing reinfection to occur.&nbsp;<\/li>\n<\/ul>\n<ul>\n<li><strong>Potential consequences<\/strong>. Once the malware activates in a user\u2019s browser, it typically redirects them to external domains that host secondary payloads. These payloads can range from phishing pages\u2014designed to steal credentials\u2014to more devastating forms of malware like info stealers or ransomware. Attackers often generate random or \u201ctokenized\u201d URLs, making it difficult for basic blocklists to keep pace.&nbsp;<\/li>\n<\/ul>\n<h2 class=\"wp-block-heading\" id=\"h-prevention-and-remediation-nbsp\"><strong>Prevention and remediation<\/strong>&nbsp;<\/h2>\n<ul>\n<li><strong>Timely patching and updates<\/strong>. Attacks often succeed by exploiting vulnerabilities in outdated CMS installations or plugins, underscoring the importance of regular updates.&nbsp;<\/li>\n<\/ul>\n<ul>\n<li><strong>File integrity checks<\/strong>. Automated monitoring systems can detect and flag any unauthorized file changes, prompting swift action.&nbsp;<\/li>\n<\/ul>\n<ul>\n<li><strong>User training<\/strong>. Educate users on potential risks and signs of compromise\u2014even \u201csafe\u201d or well-known websites can be hijacked.&nbsp;<\/li>\n<\/ul>\n<figure class=\"wp-block-image size-full is-resized\"><img decoding=\"async\" loading=\"lazy\" width=\"780\" height=\"512\" src=\"https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2025\/01\/image_aef924.png\" alt=\"\" class=\"wp-image-147095\" style=\"width:1014px;height:auto\" \/><\/figure>\n<hr class=\"wp-block-separator has-text-color has-cyan-bluish-gray-color has-alpha-channel-opacity has-cyan-bluish-gray-background-color has-background is-style-wide\" \/>\n<p><strong>We don\u2019t just report on threats\u2014we remove them<\/strong><\/p>\n<p>Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by&nbsp;<a href=\"https:\/\/www.malwarebytes.com\/for-home\">downloading Malwarebytes today<\/a>.<\/p>\n<p><a href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2025\/01\/groupgreeting-e-card-site-attacked-inzqxq-campaign\" target=\"bwo\" >https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p> This article was researched and written by Stefan Dasic, manager, research and response for ThreatDown, powered by Malwarebytes Malwarebytes recently uncovered&#8230; <\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[4503,32280,32281,32282,32,32283,32284],"class_list":["post-25658","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-cybercrime","tag-groupgreeting","tag-ndsw","tag-ndsx","tag-news","tag-tds-parrot","tag-zqxq"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/25658","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=25658"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/25658\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=25658"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=25658"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=25658"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}