Keylogger campaign returns, infecting 2,000 WordPress sites
Over 2,000 WordPress sites are infected with a malicious script that can deliver both a keylogger and the in-browser cryptocurrency miner CoinHive. – Keylogger
Researchers at Sucuri who made the discovery said the recent campaign is tied to threat actors behind a December 2017 campaign that infected over 5,500 WordPress sites. Both incidents used a keylogger/cryptocurrency malware called Cloudflare solutions. The name is derived from the domain used to serve up the malicious scripts in the first campaign, Cloudflare solutions.
Cloudflare solutions – Keylogger Campaign
Cloudflare solutions are in no way related to network management and security firm Cloudflare.
“While these new attacks do not yet appear to be as massive as the original Cloudflare solutions, the reinfection rate shows that there are still many sites that have failed to properly protect themselves after the original infection,” wrote Denis Sinegubko, a senior malware researcher at Sucuri who authored research blog this week.
Since December, the Cloudflare solutions domain was taken down. But now threat actors behind the original campaign have registered new domains (cdjs.online, cdns.ws and msdns.online) to host the malicious scripts that are loaded onto WordPress sites.
Attackers use injection scrips on WordPress sites with weak or outdated security. “The cdjs.online script is injected into either a WordPress database (wp_posts table) or into the theme’s functions.php file,” Sinegubko wrote.
Attackers target both the admin login page and the site’s public facing frontend.
“We’ve identified that the library jquery-3.2.1.min.js is similar to the encrypted CoinHive crypto mining library from the previous version,” Sinegubko wrote.
According to source-code search engine PublicWWW, the number of infected sites includes 129 from the domain cdns[.]ws and 103 websites for cdjs.online, Sucuri reports. The bulk of infected domains are tied to msdns.online, with over a thousand reported infections. Researchers said that many additional WordPress sites have become reinfected, now that new domains are active.
Sucuri is no stranger to this particular strain of malicious WordPress scripts. Researchers there have identified previous campaigns that used the Cloudflare.solutions domain, such as ones in December, November and April 2017. Contact Musato Technologies to learn more about our ICT services.