Security researchers have established that thousands of WordPress sites have been infected with a crypto-mining malware. The malware, a keylogger that’s being loaded on the WordPress backend login page can steal resources from the visitor’s computers to mine digital currencies as well as log in each of the visitor’s keystroke.
The discovery was made by researchers at Sucuri who have associated the threat actors with a December 2017 campaign that infected more than 5,400 WordPress websites. The researchers link the two campaigns because they both use keylogger/cryptocurrency malware called cloud flare[.] solutions. The name is derived from the domain the hackers used to serve up the malicious scripts in the first campaign, cloud flare[.] solutions.
How the WordPress Keylogger Works
The attackers use malicious scripts that are injected to target WordPress websites Database directly and compromise it.
The cdjs[.]online based Script is injected into WordPress database file called wp_posts table or themes functions.php file and two other scripts injected into this file as well.
The cdjs[.]online is also used to obfuscate fake googleanalytics.js just like in the previous versionS of the campaign. The researchers also established that fake jQuery was being used for injecting the encrypted Coin Hive crypto mining in the targeted website.
The keylogger will behave similarly a newly infected website in the previous campaigns behaved, that is, displaying annoying banners at the bottom of the page which appears 15 seconds into the browsing session because Cloud flare[.]solutions Scripts have been injected into function.php.
Attackers Active Since April 2017
This campaign has been running since April 2017 and throughout most of 2017 where miscreants were busy embedding malware into the hacked sites as well as loading Coin hive crypto jacking scripts disguised as fake jQuery and Google Analytics JavaScript files. But it would not be until December when these hackers moved to the more scheming practice of collecting admin credentials using a keylogger.
The cloud flare[.] solutions, which as earlier stated was spotted in April 2017, is a crypto mining software and has no relation to the network security and cybersecurity firm, Cloud Flare. It was updated on November last year to include a keylogger that behaves similarly to the ones in previous campaigns, with the ability to steal both the site’s administrator login page and the website’s public facing frontend. Despite the cloud flare[.] solutions domain being shut down last month, the attackers behind this campaign simply registered new domains to host their malicious scripts and then upload them to WordPress sites. The new web domains registered by hackers include cdjs[.] online (registered on December 8th), cdns[.]ws (on December 9th), and msdns[.] online (on December 16th).
It gets even worse for WordPress sites that host an e-commerce platform because the hackers can steal even more valuable data, including payment card data. If the attackers manage to steal the admin credentials, they won’t even need to rely on flaws to break into the site. They can just log into the site with minimal fuss.
Simple Attack
The attack is quite simple. The hackers find unsecured WordPress sites (which are normally the ones running on an older version and older themes and plugins) and then use exploits for those sites to inject malicious code into the CMS’ source code. WordPress sites with outdated security are particularly targeted. According to Denis Sinegubko, a senior malware researcher at Sucuri who authored the research blog this week, “The cdjs[.] online script is injected into either a WordPress database (wp_posts table) or into the theme’s functions.php file.”
HTLM is obfuscated to include JavaScript code, such as “googleanalytics.js,” that load the malicious scripts “startGoogleAnalytics” from the attackers’ domains.
The malicious code has two parts. The code loads a keylogger hosted on a third-party domain for the admin login page. For the site’s frontend, the attackers load the Coin hive in-browser miner and mine Monero using the CPUs of users who visit the site.
Similar to the previous cloud flare[.]solutions campaign the cdjs[.]online Script is inserted into either a WordPress database or the theme’s functions.php file. The cdns[.]ws and msdns[.]online scripts are also found injected into the theme’s functions.php file. Over a thousand sites were reported to have been infected by the msdns[.]online domain while 129 is the number of websites for cdns[.]ws domain.
According to the researchers, it is likely that the majority of those sites have not been indexed yet. The researchers concluded that “While these new attacks do not yet appear to be as massive as the original cloud flare[.]solutions campaign, many sites have still failed to protect themselves according to the re-infection rates.” Researchers also added that many additional WordPress sites have become re-infected, with new domains now active.
Sucuri is no strangers to this kind of malicious scripts. It is worth noting that it is their researchers who identified previous campaigns that used the cloud flare[.]solutions a domain like the ones identified in April, November and December 2017.
Final Word
What to do if your website has already been infected with this malware? You will have to remove the malicious code from theme’s functions.php and then scan wp_posts table for any possible injection. Additionally, it’s also wise to review whether suspicious scripts are being loaded on the login page.
All users are further advised to change all their WordPress passwords and conduct an update of all server software including third-party themes and plugins just to ensure they are on the safe side.