Saturday, December 2, 2023

Massive Black Hat Malware Infect 2500 Websites By Injecting Malicious JavaScript

Recently, the cybersecurity researchers of Sucuri have found that threat actors are conducting a tremendous massive black hat search engine optimization (SEO) campaign. 

However, nearly 15,000 websites redirected visitors to participate in fake Q&A discussion forums in this campaign. Over the course of September and October, the SiteCheck scanner of Sucuri detected over 2,500 redirects to other sites.

Not only this, but the experts have also stated that each and every compromised site contains nearly 20,000 files. All these files were being used as a part of the malicious campaign, which was being carried out by the threat actors, and most of the sites were WordPress.

Malicious ois[.]is Redirects

According to the securi report, After detecting the malware, the experts conducted a brief survey and found that some of the website’s malware infections generally limit themselves to a smaller number of files.

Not only this, but they also limit their footprint so that they can avoid detection and carry out their operations properly. 

A website infected with this malware will, on average, have over 100 files infected; that’s why this malware is completely different from others.

Common Infected Files

This malware is most commonly found infecting core files of WordPress, and it has also been found to infect “.php” files that were created by unrelated malware campaigns.

The following is a list of the top 10 most commonly infected files:-

  • ./wp-signup.php
  • ./wp-cron.php
  • ./wp-links-opml.php
  • ./wp-settings.php
  • ./wp-comments-post.php
  • ./wp-mail.php
  • ./xmlrpc.php
  • ./wp-activate.php
  • ./wp-trackback.php
  • ./wp-blog-header.php

Domains Targeted

The domain that has been targeted in this malicious campaign are listed below:-

  • en.w4ksa[.]com
  • peace.yomeat[.]com
  • qa.bb7r[.]com
  • en.ajeel[.]store
  • qa.istisharaat[.]com
  • en.photolovegirl[.]com
  • en.poxnel[.]com
  • qa.tadalafilhot[.]com
  • questions.rawafedpor[.]com
  • qa.elbwaba[.]com
  • questions.firstgooal[.]com
  • qa.aly2um[.]com

Targeting WordPress Sites

The hackers are injecting redirects to the fake Q&A forums by altering WordPress PHP files, such as:- 

  • wp-singup.php
  • wp-cron.php
  • wp-settings.php
  • wp-mail.php

In order to achieve their objectives, attackers commonly use the technique of dropping their own PHP files onto the target site. While the attackers usually use a file name that looks legitimate, for instance:-

  • wp-logln.php

A malicious file infected or injected into a WordPress site contains malicious code that checks if the visitor is logged in to WordPress or not. If they are logged in, then it redirects them to the hxxps://ois[.]is/images/logo.png URL.

Unlike other URLs, this URL will not send an image to the browser in order to redirect the user to the promoted Q&A website but instead will load JavaScript that redirects them to a Google search click activity to the promoted Q&A website.

The spam sites that the attackers are using for the purpose of building their spam sites consist of a lot of random questions and answers that have been scraped from other Q&A sites in order to populate the spam sites with content.

Many of the stories revolve around cryptocurrencies and financial themes, which makes them based on the same concepts.

Methods of Mitigation

There had been no obvious exploit that appears to be associated with this spam campaign that exploits a single plugin vulnerability.

It is common for attackers to use exploit kits to probe for vulnerabilities in any common components of the software that are vulnerable.

Furthermore, it is likely that the compromised wp-admin administrator panels are also the source of the compromise of websites. 

In this regard, it is highly recommended that you set up 2FA or some other type of access restriction within your wp-admin panel in order to ensure your security.

It is likely that all of the sites belong to the same threat actor since they use similar website-building templates. Not only this, but they all seem to have been generated by automated tools, making it quite likely that the same group of hackers generated them.

While till now it’s not yet clear how the threat actors were able to breach the websites used for redirections. So, in order to protect your website from attacks, you can place it behind a firewall.

Network Security Checklist – Download Free E-Book


Latest articles

Active Attacks Targeting Google Chrome & ownCloud Flaws: CISA Warns

The CISA announced two known exploited vulnerabilities active attacks targeting Google Chrome & own...

Cactus Ransomware Exploiting Qlik Sense code execution Vulnerability

A new Cactus Ransomware was exploited in the code execution vulnerability to Qlik Sense...

Hackers Bypass Antivirus with ScrubCrypt Tool to Install RedLine Malware

The ScrubCrypt obfuscation tool has been discovered to be utilized in attacks to disseminate the RedLine Stealer...

Hotel’s Hacked Logins Let Attacker Steal Guest Credit Cards

According to a recent report by Secureworks, a well-planned and advanced phishing attack was...

Critical Zoom Vulnerability Let Attackers Take Over Meetings

Zoom, the most widely used video conferencing platform has been discovered with a critical...

Hackers Using Weaponized Invoice to Deliver LUMMA Malware

Hackers use weaponized invoices to exploit trust in financial transactions, embedding malware or malicious...

US-Seized Crypto Currency Mixer Used by North Korean Lazarus Hackers

The U.S. Treasury Department sanctioned the famous cryptocurrency mixer Sinbad after it was claimed...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

API Attack Simulation Webinar

Live API Attack Simulation

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked.The session will cover:an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

Related Articles