2,000 WordPress sites (possibly more) are infected with a keylogger that’s being loaded on the WordPress backend login page and a crypto jacking script (in-browser cryptocurrency miner) on their frontends.
Security researchers at Sucuri discovered a malicious campaign that infects WordPress websites with a malicious script that delivers an in-browser cryptocurrency miner from CoinHive and a keylogger.
Coinhive is a popular browser-based service that allows website owners to embed a JavaScript to utilize CPUs power of their website visitors in an effort to mine the Monero cryptocurrency.
Researchers at Sucuri who made the discovery said the recent campaign is tied to threat actors behind a December 2017 campaign. Both incidents used a keylogger/cryptocurrency malware called cloudflare[.]solutions. The name is derived from the domain used to serve up the malicious scripts in the first campaign, cloudflare[.]solutions.
The malware was updated in November to include a keylogger. The keylogger works the same way as in previous campaigns and can steal both the site’s administrator login page and the website’s public facing frontend.
“The number of infected sites for cdns[.]ws domain include some 129 websites, and 103 websites for cdjs[.]online, according to source-code search engine PublicWWW, though over a thousand sites were reported to have been infected by the msdns[.]online domain”.
Researchers said:
“While these new attacks do not yet appear to be as massive as the original Cloudflare[.]solutions campaign, the reinfection rate shows that there are still many sites that have failed to properly protect themselves after the original infection. It’s possible that some of these websites didn’t even notice the original infection,” Sucuri researchers concluded.
Users are encouraged to change all WordPress passwords and update all server software including third-party themes and plugins.