Wednesday, May 22, 2024

Massive Black Hat Malware Infect 2500 Websites By Injecting Malicious JavaScript

Recently, the cybersecurity researchers of Sucuri have found that threat actors are conducting a tremendous massive black hat search engine optimization (SEO) campaign. 

However, nearly 15,000 websites redirected visitors to participate in fake Q&A discussion forums in this campaign. Over the course of September and October, the SiteCheck scanner of Sucuri detected over 2,500 redirects to other sites.

Not only this, but the experts have also stated that each and every compromised site contains nearly 20,000 files. All these files were being used as a part of the malicious campaign, which was being carried out by the threat actors, and most of the sites were WordPress.

Malicious ois[.]is Redirects

According to the securi report, After detecting the malware, the experts conducted a brief survey and found that some of the website’s malware infections generally limit themselves to a smaller number of files.

Not only this, but they also limit their footprint so that they can avoid detection and carry out their operations properly. 

A website infected with this malware will, on average, have over 100 files infected; that’s why this malware is completely different from others.

Common Infected Files

This malware is most commonly found infecting core files of WordPress, and it has also been found to infect “.php” files that were created by unrelated malware campaigns.

The following is a list of the top 10 most commonly infected files:-

  • ./wp-signup.php
  • ./wp-cron.php
  • ./wp-links-opml.php
  • ./wp-settings.php
  • ./wp-comments-post.php
  • ./wp-mail.php
  • ./xmlrpc.php
  • ./wp-activate.php
  • ./wp-trackback.php
  • ./wp-blog-header.php

Domains Targeted

The domain that has been targeted in this malicious campaign are listed below:-

  • en.w4ksa[.]com
  • peace.yomeat[.]com
  • qa.bb7r[.]com
  • en.ajeel[.]store
  • qa.istisharaat[.]com
  • en.photolovegirl[.]com
  • en.poxnel[.]com
  • qa.tadalafilhot[.]com
  • questions.rawafedpor[.]com
  • qa.elbwaba[.]com
  • questions.firstgooal[.]com
  • qa.cr-halal[.]com
  • qa.aly2um[.]com

Targeting WordPress Sites

The hackers are injecting redirects to the fake Q&A forums by altering WordPress PHP files, such as:- 

  • wp-singup.php
  • wp-cron.php
  • wp-settings.php
  • wp-mail.php

In order to achieve their objectives, attackers commonly use the technique of dropping their own PHP files onto the target site. While the attackers usually use a file name that looks legitimate, for instance:-

  • wp-logln.php

A malicious file infected or injected into a WordPress site contains malicious code that checks if the visitor is logged in to WordPress or not. If they are logged in, then it redirects them to the hxxps://ois[.]is/images/logo.png URL.

Unlike other URLs, this URL will not send an image to the browser in order to redirect the user to the promoted Q&A website but instead will load JavaScript that redirects them to a Google search click activity to the promoted Q&A website.

The spam sites that the attackers are using for the purpose of building their spam sites consist of a lot of random questions and answers that have been scraped from other Q&A sites in order to populate the spam sites with content.

Many of the stories revolve around cryptocurrencies and financial themes, which makes them based on the same concepts.

Methods of Mitigation

There had been no obvious exploit that appears to be associated with this spam campaign that exploits a single plugin vulnerability.

It is common for attackers to use exploit kits to probe for vulnerabilities in any common components of the software that are vulnerable.

Furthermore, it is likely that the compromised wp-admin administrator panels are also the source of the compromise of websites. 

In this regard, it is highly recommended that you set up 2FA or some other type of access restriction within your wp-admin panel in order to ensure your security.

It is likely that all of the sites belong to the same threat actor since they use similar website-building templates. Not only this, but they all seem to have been generated by automated tools, making it quite likely that the same group of hackers generated them.

While till now it’s not yet clear how the threat actors were able to breach the websites used for redirections. So, in order to protect your website from attacks, you can place it behind a firewall.

Network Security Checklist – Download Free E-Book

Website

Latest articles

OmniVision Technologies Cyber Attack, Hackers Stolen Personal Data in Ransomware Attack

OmniVision Technologies, Inc. (OVT) recently disclosed a significant security breach that compromised its clients'...

Critical Flaw In Confluence Server Let Attackers Execute Arbitrary Code

The widely used team workspace corporate wiki Confluence has been discovered to have a...

Threat Actors Leverage Bitbucket Artifacts to Breach AWS Accounts

In a recent investigation into Amazon Web Services (AWS) security breaches, Mandiant uncovered a...

Hackers Breached Western Sydney University Microsoft 365 & Sharepoint Environments

Western Sydney University has informed approximately 7,500 individuals today of an unauthorized access incident...

Memcyco Report Reveals Only 6% Of Brands Can Protect Their Customers From Digital Impersonation Fraud

Memcyco Inc., provider of digital trust technology designed to protect companies and their customers...

DoppelGänger Attack: Malware Routed Via News Websites And Social Media

A Russian influence campaign, DoppelGänger, leverages fake news websites (typosquatted and independent) to spread...

Critical Memory Corruption In Cloud Logging Infrastructure Enables Code Execution Attack

A new critical vulnerability has been discovered in Fluent Bit's built-in HTTP server, which...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

Live API Attack Simulation

94% of organizations experience security problems in production APIs, and one in five suffers a data breach. As a result, cyber-attacks on APIs increased from 35% in 2022 to 46% in 2023, and this trend continues to rise.
Key takeaways include:

  • An exploit of OWASP API Top 10 vulnerability
  • A brute force ATO (Account Takeover) attack on API
  • A DDoS attack on an API
  • Positive security model automation to prevent API attacks

Related Articles