Malware

ClickFix Malware Infect Website Visitors Via Hacked WordPress Websites

Researchers have identified a new variant of the ClickFix fake browser update malware distributed through malicious WordPress plugins.

These plugins, disguised as legitimate tools, inject malicious JavaScript code into compromised websites, tricking users into installing malware. 

The malware uses blockchain technology to obtain malicious payloads, exploiting social engineering tactics to deceive victims. 

Over 6,000 websites worldwide have been affected by this recent variant, which spreads malware through fake plugins like “Advanced User Manager” and “Quick Cache Cleaner.”

The malicious actors behind these plugins leverage automation to create many seemingly legitimate plugins with fake metadata. These plugins inject malicious scripts into WordPress pages by exploiting the wp_enqueue_scripts functionality.  

Protecting Your Networks & Endpoints With UnderDefense MDR – Request Free Demo

Plugin code Plugin code 
Plugin code

The actors also add a redundant wp_head hook that seems to disable other wp_head actions, but this serves no practical purpose.

Interestingly, the .DS_Store files found within the fake plugin directories are identical and can potentially be used as Indicators of Compromise (IoCs) for detection purposes.

Attackers injected malicious scripts with identical hashes into various plugins, as these scripts loaded an Ethereum library and interacted with a smart contract on Binance Smart Chain. 

Example of ClickFix fake Chrome browser update pop-up dialog.

Browser Update pop-ups to visitors based on browser information. 

Some compromised sites now have seemingly benign, empty scripts with recent modification dates, suggesting a partial cleanup attempt by the attackers.  

Attackers launched a ClickFix campaign in June 2024, injecting malicious JavaScript into over 6,000 WordPress sites, which was achieved by either compromising existing plugins or deploying fake plugins disguised as popular ones. 

repository was created on August 23, 2024

These fake plugins, often with “Classic” added to their names, contained a single file injecting the script using the high-priority “wp_head” hook.

The attackers also started using disposable Github and BitBucket repositories to host their payloads, making detection and takedown more challenging.  

The attack involved a series of automated actions executed by a threat actor using stolen WordPress admin credentials.

The actor logged into a vulnerable website and immediately uploaded a malicious plugin, which was activated and then used to distribute fake browser updates.  

executable JavaScript code

The attack was highly efficient, with each session lasting only a few minutes. The attackers likely acquired WordPress admin credentials through brute force attacks, phishing campaigns, or by exploiting malware on the website owners’ computers.

They then used these credentials to install malicious plugins on the websites. 

According to GoDaddy, using legitimate credentials for malicious purposes mirrors past attacks where FTP credentials were stolen and used to compromise websites.

The fake plugins may have been installed from a botnet of infected computers, acting as proxies to hide the attackers’ true origin.

Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

Critical Apache Parquet Vulnerability Allows Remote Code Execution

A severe vulnerability has been identified in the Apache Parquet Java library, specifically within its parquet-avro module.…

7 minutes ago

Halo ITSM Vulnerability Lets Attackers Inject Malicious SQL Code

A critical security flaw has been discovered in Halo ITSM, an IT support management software widely…

2 hours ago

Australian Pension Funds Hacked: Members Face Financial Losses

Several of Australia’s largest superannuation funds have been targeted in a coordinated cyberattack, leading to…

3 hours ago

Frida Penetration Testing Toolkit Updated with Advanced Threat Monitoring APIs

In a significant update to the popular dynamic instrumentation toolkit Frida, developers have introduced powerful…

3 hours ago

OpenVPN Flaw Allows Attackers Crash Servers and Run Remote Code

OpenVPN, a widely-used open-source virtual private network (VPN) software, has recently patched a security vulnerability…

5 hours ago

Apache Traffic Server Flaw Allows Request Smuggling Attacks

A critical vulnerability has been discovered in Apache Traffic Server (ATS), an open-source caching proxy…

5 hours ago