Wordpress logo sinking
Wordpress logo sinking

The malware is part keylogger, part in-browser crypto miner, and was initially spotted back in December, running on around 5,500 WordPress sites. Website security firm Sucuri blogged about the attacks back in 2017 and although the initial infection was contained by taking down the site that hosted the scripts (cloudflare[.]solutions), a new set of hosts have been configured. According to data from website search service PublicWWW, three of the scripts alone MSDNS, CDJS, and CDNS are currently running on 2,092 sites.


There are a variety of injected scripts that have been used in this attack in the past month:

  • hxxps://cdjs[.]online/lib.js

  • hxxps://cdjs[.]online/lib.js?ver=…

  • hxxps://cdns[.]ws/lib/googleanalytics.js?ver=…

  • hxxps://msdns[.]online/lib/mnngldr.js?ver=…

  • hxxps://msdns[.]online/lib/klldr.js

  •  

“The cdjs[.]online script is injected into either a WordPress database (wp_posts table) or into the theme's functions.php file, just like we saw in the former cloudflare[.]solutions attack”, said Sucuri researcher Denis Sinegubko, “Unfortunately for unsuspecting users and owners of the infected websites, the keylogger behaves the same way as in previous campaigns. The script sends data entered on every website form (including the login form) to the hackers via the WebSocket protocol.”


The cryptominer is a lightly tweaked version of the CoinHive Monero (XMR) miner, which has been widely adopted by hackers. In a paralell incident, it was discovered that hackers had created a DoubleClick campaign on YouTubethat included the browser miner software.


There are three new servers involved in the latest WordPress attacks:

  • 185.209.23.219 (cdjs[.]online, or 3117488091, where you can still find the cloudflare[.]solutions version of the keylogger)

  • 185.14.28.10 (or 3104709642, which still hosts the hxxp://185.14.28 .10/lib/jquery-3.2.1.min.js?v=3.2.11 crypto miner and the cloudflare[.]solutions version of the keylogger hxxp://185 .14 .28. 10/lib/kl.js)

  • 107.181.161.159 (cdns[.]ws and msdns[.]online – which serves new versions of the cryptominers and keyloggers)

  •  

David Emm, principal security researcher, Kaspersky Lab, told SC Media UK: “In the past, we've seen a number of instances of WordPress vulnerabilities being exploited by cyber-criminals. For anyone using WordPress as part of a self-hosted installation – where the website owner installs it and configures it as required, rather than hosting their site on the WordPress site – it's essential that they keep it protected and apply updates immediately, including to third-party plug-ins that are installed.

 

“The keylogger offers criminals a means to masquerade as the legitimate owner of the site, giving them ongoing access to carry out additional malicious activities.  We've seen a growth of malicious cryptocurrency miners in recent years – in line with the growing mainstream use of crypto-currencies.  And in our end of year review, we predicted that web mining, using scripts installed on compromised sites, is likely to grow.”


To clean up a compromised WordPress site, admins will need to remove the malicious code from theme's functions.php, scan wp_posts table for possible injections, change all WordPress passwords and update all software, especially third-party themes and plugins.