Mal.Metrica Malware Hijacks 17,000+ WordPress Sites

Infected websites mimic legitimate human verification prompts (CAPTCHAs) to trick users, who often request seemingly innocuous clicks, resembling past CAPTCHA challenges. 

Clicking initiates a malicious redirect, exposing users to scams or malware exploiting user familiarity with CAPTCHAs, bypassing suspicion, and increasing the click-through rate for fraudulent purposes.  

Verifying Process

Attackers are using a novel technique to redirect users to malicious domains, and instead of injecting malicious code directly into the website, they create an image overlay that appears as a verification prompt. 

Document

Integrate ANY.RUN in Your Company for Effective Malware Analysis

Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:

  • Real-time Detection
  • Interactive Malware Analysis
  • Easy to Learn by New Security Team members
  • Get detailed reports with maximum data
  • Set Up Virtual Machine in Linux & all Windows OS Versions
  • Interact with Malware Safely

If you want to test all these features now with completely free access to the sandbox:

The image contains a link to the attacker’s domain (rapid.tmediacontent.com).

When a user clicks the image, they are redirected through a chain of redirects before ending up on the malicious website.

This makes it difficult to detect the attack because the malicious code is not part of the original website’s code. 

redirect chain in the browser developer tools

Mal.Metrica, a large malware campaign, injects malicious scripts into vulnerable WordPress plugins masquerading as legitimate CDN or web analytics services to avoid detection. 

The malware leverages Yandex.Metrica to track the performance of these injections.

Since 2023, Mal.Metrica has exploited vulnerabilities in tagDiv Composer, Popup Builder, WP Go Maps, and Beautiful Cookie Consent Banner, infecting over 17,449 websites in 2024 alone. 

Researchers at Sucuri recently identified the threat actors behind Mal.Metrica, highlighting the connection between unpatched vulnerabilities and widespread malware infections.

fake verification prompts

A high-severity vulnerability (CVSS 7.5) in the popular WordPress theme “Responsive” allowed attackers to inject malicious code into websites’ footer sections. The vulnerability was identified in March 2024 and has since been patched. 

Attackers exploited the flaw by inserting unauthorized links into the footer copyright area, potentially for malicious purposes.

On-Demand Webinar to Secure the Top 3 SME Attack Vectors: Watch for Free.

The latest version of the theme addresses this issue, as documented in the changelog.txt file. 

changelog.txt file

Clicking “Allow” on a fake CAPTCHA triggers a series of browser notification prompts disguised as legitimate security checks.

These deceptive prompts act as a gateway, initiating a chain of redirects that ultimately land users on malicious websites. 

Bogus Websites

The malicious websites employ various social engineering tactics to trick users into compromising their security and privacy.

Some common scams include malware downloads disguised as essential software updates, phishing attempts that lure users into surrendering personal information, and fraudulent investment opportunities involving cryptocurrency

Additionally, these scammy pop-ups can bombard users with further notifications, each notification functioning as a springboard to yet another bogus website designed to exploit unsuspecting victims.

Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

Google Announces Vanir, A Open-Source Security Patch Validation Tool

Google has officially launched Vanir, an open-source security patch validation tool designed to streamline and automate…

14 hours ago

New Transaction-Relay Jamming Vulnerability Let Attackers Exploits Bitcoin Nodes

A newly disclosed transaction-relay jamming vulnerability has raised concerns about the security of Bitcoin nodes,…

15 hours ago

Raspberry Pi 500 & Monitor, Complete Desktop Setup at $190

Raspberry Pi, a pioneer in affordable and programmable computing, has once again elevated its game…

16 hours ago

Qlik Sense for Windows Vulnerability Allows Remote Code Execution

Qlik has identified critical vulnerabilities in its Qlik Sense Enterprise for Windows software that could…

18 hours ago

QNAP High Severity Vulnerabilities Let Remote attackers to Compromise System

QNAP Systems, Inc. has identified multiple high-severity vulnerabilities in its operating systems, potentially allowing attackers…

19 hours ago

Healthcare Security Strategies for 2025

Imagine this: It's a typical Tuesday morning in a bustling hospital. Doctors make their rounds,…

20 hours ago