Keylogger injection campaign covered 2000 WordPress-sites

The experts found that after the closure of the malicious website cloudflare [.] Solutions, with which hackers downloaded the cryptomayer Coinhive and later Keylogger on hacked WordPress sites, hackers registered three new domain names.

According to PublicWWW, at the moment, as a result of the new malicious attack, hackers infected more than 2000 WordPress sites.

Recall that hacking WordPress and inserting malicious JavaScript has been start since last year. Initially, such injections in the functions.php file in WordPress themes were used to display third-party advertising, then for installing Coinhive disguised as jQuery and Google Analytics. By early December, this payload, injected from all of the same cloudflare [.] Solutions domain, changed the keylogger.

The malicious site was quickly closed by the efforts of the experts and the registrar company, but the attackers, without a hitch, registered three new domains: cdjs [.] Online, cdns [.] Ws and msdns [.] Online. According to PublicWWW, currently about 300 different WordPress-sites have joined cdjs [.] Online and cdns [.] Ws, more than 1,8 thousand have been contacted to msdns [.] Online. In most cases, this is a re-infection of sites that were compromised last year.

Over the past month, researchers have identified a number of scripts downloaded from the new malicious domains. As it turned out, this time the authors of this WordPress-campaign are installed on sites and Coinhive (under the guise of Google Analytics), and all the same Keylogger. Primary Javascript, implemented on the sites, almost has not changed.

The new attack on WordPress sites, according to experts, is less than last year. A large number of repeated infection sites indicate that many sites did not fix the vulnerabilities and did not increase their protection after the initial infection. It is possible that in some cases the infection simply went unnoticed.

To clean the site, we recommend scanning the website for possible infection, changing all WordPress passwords and updating all server software, including themes and plugins.