Researchers have identified a new variant of the ClickFix fake browser update malware distributed through malicious WordPress plugins.
These plugins, disguised as legitimate tools, inject malicious JavaScript code into compromised websites, tricking users into installing malware.
The malware uses blockchain technology to obtain malicious payloads, exploiting social engineering tactics to deceive victims.
.png
)
Over 6,000 websites worldwide have been affected by this recent variant, which spreads malware through fake plugins like “Advanced User Manager” and “Quick Cache Cleaner.”
The malicious actors behind these plugins leverage automation to create many seemingly legitimate plugins with fake metadata. These plugins inject malicious scripts into WordPress pages by exploiting the wp_enqueue_scripts functionality.
Protecting Your Networks & Endpoints With UnderDefense MDR – Request Free Demo
The actors also add a redundant wp_head hook that seems to disable other wp_head actions, but this serves no practical purpose.
Interestingly, the .DS_Store files found within the fake plugin directories are identical and can potentially be used as Indicators of Compromise (IoCs) for detection purposes.
Attackers injected malicious scripts with identical hashes into various plugins, as these scripts loaded an Ethereum library and interacted with a smart contract on Binance Smart Chain.
Browser Update pop-ups to visitors based on browser information.
Some compromised sites now have seemingly benign, empty scripts with recent modification dates, suggesting a partial cleanup attempt by the attackers.
Attackers launched a ClickFix campaign in June 2024, injecting malicious JavaScript into over 6,000 WordPress sites, which was achieved by either compromising existing plugins or deploying fake plugins disguised as popular ones.
These fake plugins, often with “Classic” added to their names, contained a single file injecting the script using the high-priority “wp_head” hook.
The attackers also started using disposable Github and BitBucket repositories to host their payloads, making detection and takedown more challenging.
The attack involved a series of automated actions executed by a threat actor using stolen WordPress admin credentials.
The actor logged into a vulnerable website and immediately uploaded a malicious plugin, which was activated and then used to distribute fake browser updates.
The attack was highly efficient, with each session lasting only a few minutes. The attackers likely acquired WordPress admin credentials through brute force attacks, phishing campaigns, or by exploiting malware on the website owners’ computers.
They then used these credentials to install malicious plugins on the websites.
According to GoDaddy, using legitimate credentials for malicious purposes mirrors past attacks where FTP credentials were stolen and used to compromise websites.
The fake plugins may have been installed from a botnet of infected computers, acting as proxies to hide the attackers’ true origin.
Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!
