Com.Br Websites Infected with Maliciour JS Code (count18.php)

Our sandbox has logged various domains with suffix .COM.BR infected with a malicious obfuscated javascript code, that is injected at begin of the HTML pages of the websites, before the initial <html> tag:

Obfuscated JS code

The malicious script redirects the users to a malicious URL:

hxxp:// bylviha .ru/count18.php

An example of websites infected:

hxxp:// carboniferacatarinense .com .br/
hxxp:// www. csir-iir. org/
hxxp:// www. terapets .com/

Sometimes the malicious script is injected inside the <title> tag:

JS Injected in Title TAG

URLVoid reports of malicious domains: .ru .com .br org .com