Researchers recently uncovered distributed brute force attacks on target WordPress websites using the browsers of innocent site visitors.
A recent increase in website hacking that targets Web3 and cryptocurrency assets was noticed two weeks ago.
With the use of cryptocurrency drainers, this malware, which spreads among several campaigns, steals assets from compromised wallets and redistributes them.
According to Sucuri researchers, the most notable variation uses the external cachingjs/turboturbo.js script to inject drainers.
The domain name of the turboturbo.js script was modified on February 20, 2024; it was previously dynamiclinks[.]cfd/cachingjs/turboturbo.js, but it is right now dynamiclink[.]lol/cachingjs/turboturbo.js.
“This new wave started on the very same day the new dynamiclink[.]lol domain was registered and hosted on the server with IP 93.123.39.199”, researchers said.
Are you from SOC and DFIR teams? – Join With 400,000 independent Researchers
Malware analysis can be fast and simple. Just let us show you the way to:
- Interact with malware safely
- Set up virtual machine in Linux and all Windows OS versions
- Work in a team
- Get detailed reports with maximum data If you want to test all these features now with completely free access to the sandbox: ..
Distributed Brute Force Attacks On WordPress Sites
Attackers created a second dynamic-linx[.]com domain on February 23, 2024 (which is also hosted on 93.123.39.199 and 94.156.8.251).
By February 25th, researchers were able to identify injections using the dynamic-linx[.]com/chx.js script.
But this new script is very different because it doesn’t load a crypto drainer. Researchers say there is no connection between Web3 and cryptocurrencies and the script’s contents.
The five main stages of this recent attack enable a malicious actor to use websites that have already been infiltrated to undertake distributed brute force attacks against thousands of additional sites that could become targets.
- Obtain URLs of WordPress sites
- Extract author usernames
- Inject malicious scripts
- Brute force credentials
- Verify compromised credentials
According to the information shared with Cyber Security News, a task is requested by the user’s browser from the hxxps://dynamic-linx[.]com/getTask.php URL whenever they access an infected webpage.
When a task is found, the data is processed to extract the URL of the target website, an operational username, and a list of 100 passwords to try.
The visitor’s browser submits the wp.uploadFile XML-RPC API calls to upload a file with the encrypted credentials that were used to authenticate this particular request for each password in the list.
Each task entails 100 API requests! A brief text file containing legitimate credentials is created in the WordPress uploads directory if authentication is successful.
The script notifies the job with a specific taskId and checkId has been finished once all of the passwords have been checked.
At last, the script retrieves the next task and handles an additional set of credentials. And so on, as long as the compromised page is open, without end.
Mitigation
“Most likely, they (attackers) realized that at their scale of infection (~1000 compromised sites) the crypto drainers are not very profitable yet.
Moreover, they draw too much attention and their domains get blocked pretty quickly”, researchers said.
We are reminded by this attack of the importance of creating strong passwords.
You may also want to consider limiting access to the xmlrpc.php file and WordPress admin interface to trusted IP addresses only.
With Perimeter81 malware protection, you can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits. All are incredibly harmful and can wreak havoc on your network.
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.