Friday, November 1, 2024
HomeCyber AttackClickFix Malware Infect Website Visitors Via Hacked WordPress Websites

ClickFix Malware Infect Website Visitors Via Hacked WordPress Websites

Published on

Malware protection

Researchers have identified a new variant of the ClickFix fake browser update malware distributed through malicious WordPress plugins.

These plugins, disguised as legitimate tools, inject malicious JavaScript code into compromised websites, tricking users into installing malware. 

The malware uses blockchain technology to obtain malicious payloads, exploiting social engineering tactics to deceive victims. 

- Advertisement - SIEM as a Service

Over 6,000 websites worldwide have been affected by this recent variant, which spreads malware through fake plugins like “Advanced User Manager” and “Quick Cache Cleaner.”

The malicious actors behind these plugins leverage automation to create many seemingly legitimate plugins with fake metadata. These plugins inject malicious scripts into WordPress pages by exploiting the wp_enqueue_scripts functionality.  

Protecting Your Networks & Endpoints With UnderDefense MDR – Request Free Demo

Plugin code 
Plugin code 

The actors also add a redundant wp_head hook that seems to disable other wp_head actions, but this serves no practical purpose.

Interestingly, the .DS_Store files found within the fake plugin directories are identical and can potentially be used as Indicators of Compromise (IoCs) for detection purposes.

Attackers injected malicious scripts with identical hashes into various plugins, as these scripts loaded an Ethereum library and interacted with a smart contract on Binance Smart Chain. 

Example of ClickFix fake Chrome browser update pop-up dialog.
Example of ClickFix fake Chrome browser update pop-up dialog.

Browser Update pop-ups to visitors based on browser information. 

Some compromised sites now have seemingly benign, empty scripts with recent modification dates, suggesting a partial cleanup attempt by the attackers.  

Attackers launched a ClickFix campaign in June 2024, injecting malicious JavaScript into over 6,000 WordPress sites, which was achieved by either compromising existing plugins or deploying fake plugins disguised as popular ones. 

repository was created on August 23, 2024
repository was created on August 23, 2024

These fake plugins, often with “Classic” added to their names, contained a single file injecting the script using the high-priority “wp_head” hook.

The attackers also started using disposable Github and BitBucket repositories to host their payloads, making detection and takedown more challenging.  

The attack involved a series of automated actions executed by a threat actor using stolen WordPress admin credentials.

The actor logged into a vulnerable website and immediately uploaded a malicious plugin, which was activated and then used to distribute fake browser updates.  

 executable JavaScript code
 executable JavaScript code

The attack was highly efficient, with each session lasting only a few minutes. The attackers likely acquired WordPress admin credentials through brute force attacks, phishing campaigns, or by exploiting malware on the website owners’ computers.

They then used these credentials to install malicious plugins on the websites. 

According to GoDaddy, using legitimate credentials for malicious purposes mirrors past attacks where FTP credentials were stolen and used to compromise websites.

The fake plugins may have been installed from a botnet of infected computers, acting as proxies to hide the attackers’ true origin.

Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!

Latest articles

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS...

ATPC Cyber Forum to Focus on Next Generation Cybersecurity and Artificial Intelligence Issues

White House National Cyber Director, CEOs, Key Financial Services Companies, Congressional and Executive Branch...

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan...

Konni APT Hackers Attacking Organizations with New Spear-Phishing Tactics

The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS...

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan...

Konni APT Hackers Attacking Organizations with New Spear-Phishing Tactics

The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on...