Over 2,000 WordPress sites are infected with a malicious script that can deliver both a keylogger and the in-browser cryptocurrency miner CoinHive.
Researchers at Sucuri who made the discovery, said the recent campaign is tied to threat actors behind a December 2017 campaign that infected over 5,500 WordPress sites. Both incidents used a keylogger/cryptocurrency malware called cloudflare[.]solutions. The name is derived from the domain used to serve up the malicious scripts in the first campaign, cloudflare[.]solutions.
Cloudflare[.]solutions is in no way related to network management and security firm Cloudflare.
“While these new attacks do not yet appear to be as massive as the original cloudflare[.]solutions campaign, the reinfection rate shows that there are still many sites that have failed to properly protect themselves after the original infection,” wrote Denis Sinegubko, a senior malware researcher at Sucuri who authored research blog this week.
Since December, the cloudflare[.]solutions domain was taken down. But now threat actors behind the original campaign have registered new domains (cdjs[.]online, cdns[.]ws and msdns[.]online) to host the malicious scripts that are loaded onto WordPress sites.
Attackers use injection scrips on WordPress sites with weak or outdated security. “The cdjs[.]online script is injected into either a WordPress database (wp_posts table) or into the theme’s functions.php file,” Sinegubko wrote.
Attackers target both the admin login page and the site’s public facing frontend.
HTML is obfuscated to include JavaScript code, such as “googleanalytics.js”, that load the malicious scripts “startGoogleAnalytics” from the attackers’ domains.
“We’ve identified that the library jquery-3.2.1.min.js is similar to the encrypted CoinHive cryptomining library from the previous version,” Sinegubko wrote.
According to source-code search engine PublicWWW, the number of infected sites include 129 from the domain cdns[.]ws and 103 websites for cdjs[.]online, Sucuri reports. The bulk of infected domains are tied to msdns[.]online, with over a thousand reported infections. Researchers said, that many additional WordPress sites have become reinfected, now that new domains are active.
Sucuri is no stranger to this particular strain of malicious WordPress scripts. Researchers there have identified previous campaigns that used the cloudflare[.]solutions domain, such as ones in December, November and April 2017.