Security researchers at Sucuri discovered that more than 2,000 Wordpress websites are infected with malware that logs passwords and just about anything else an administrator or visitor types.
The malware can be found on older versions of the WordPress, or on older themes and plugins. Here, hackers exploited those websites to inject malicious codes into the CMS' source code. The campaign is said to be tied to the threat actors behind a December 2017 campaign that infected over 5,500 WordPress sites.
The malicious code includes two parts.
First is for the administrator login page where the code loads a keylogger hosted on a third-party domain.
But since the infections on the 2017's
cloudflare[.]solutions were cleaned up by the registrar, the malicious scripts are then hosted on
"The cdjs[.]online script is injected into either a WordPress database (wp_posts table) or into the theme’s functions.php file," Sucuri researcher Denis Sinegubko wrote in a blog post. "Unfortunately for unsuspecting users and owners of the infected websites, the keylogger behaves the same way as in previous campaigns.
"The script sends data entered on every website form (including the login form) to the hackers via the WebSocket protocol."
None of the sites hosting the code has any relation to Cloudflare or any other legitimate company.
Sucuri's research was based on data obtained from PublicWWW. And here, the researchers discovered more than 2,000 websites that are loading scripts from the three domains. However, Sucuri fears that not all affected sites are indexed in PublicWWW, and that the number of victims could be even bigger.
And for the second part, the malware also loads malicious codes to the frontend, where it can steal visitors' CPU to mine the Monero cryptocurrency..
“We’ve identified that the library jquery-3.2.1.min.js is similar to the encrypted CoinHive cryptomining library from the previous version,” Sinegubko wrote.
WordPress website owners are advised scan their website, check for core file integrity, check recently modified files and confirm user logins. Then they need to update anything that needs updating, and review if they see any suspicious scripts running on their pages.
If they find themselves infected, Sucuri suggests some ways to remove the malware. It includes automatically removing the malware using its plugin, or manually removing it through FTP or SSH. Then, they need to clean the hacked database, secure user accounts, remove hidden backdoors and remove malware warnings.
"While these new attacks do not yet appear to be as massive as the original Cloudflare[.]solutions campaign, the reinfection rate shows that there are still many sites that have failed to properly protect themselves after the original infection," continued Sinegubko. "It's possible that some of these websites didn't even notice the original infection."
People who want to clean up infected sites should follow these steps. It's also critical to change all site passwords since the scripts give attackers access to all the old ones.