2,000 WordPress sites (possibly more) are infected with a keylogger that’s being loaded on the WordPress backend login page and a crypto jacking script (in-browser cryptocurrency miner) on their frontends.
Researchers at Sucuri who made the discovery said the recent campaign is tied to threat actors behind a December 2017 campaign. Both incidents used a keylogger/cryptocurrency malware called cloudflare[.]solutions. The name is derived from the domain used to serve up the malicious scripts in the first campaign, cloudflare[.]solutions.
The malware was updated in November to include a keylogger. The keylogger works the same way as in previous campaigns and can steal both the site’s administrator login page and the website’s public facing frontend.
“The number of infected sites for cdns[.]ws domain include some 129 websites, and 103 websites for cdjs[.]online, according to source-code search engine PublicWWW, though over a thousand sites were reported to have been infected by the msdns[.]online domain”.
“While these new attacks do not yet appear to be as massive as the original Cloudflare[.]solutions campaign, the reinfection rate shows that there are still many sites that have failed to properly protect themselves after the original infection. It’s possible that some of these websites didn’t even notice the original infection,” Sucuri researchers concluded.
Users are encouraged to change all WordPress passwords and update all server software including third-party themes and plugins.
Pedro Tavares is a professional in the field of information security working as an Ethical Hacker/Pentester, Malware Researcher and also a Security Evangelist. He is also a founding member at CSIRT.UBI and Editor-in-Chief of the security computer blog seguranca-informatica.pt.
In recent years he has invested in the field of information security, exploring and analyzing a wide range of topics, such as pentesting (Kali Linux), malware, exploitation, hacking, IoT and security in Active Directory networks. He is also Freelance Writer (Infosec. Resources Institute and Cyber Defense Magazine) and developer of the 0xSI_f33d – a feed that compiles phishing and malware campaigns targeting Portuguese citizens.
Read more here.