More than 2,000 WordPress websites have Once more been found infected using a piece of crypto-mining malware of which not only steals the resources of visitors’ computers to mine digital currencies however also logs visitors’ every keystroke.
Security researchers at Sucuri discovered a malicious campaign of which infects WordPress websites using a malicious script of which delivers an in-browser cryptocurrency miner by CoinHive in addition to also a keylogger.
Sucuri researchers said the threat actors behind This particular brand new campaign can be the same one who infected more than 5,400 WordPress websites last month since both campaigns used keylogger/cryptocurrency malware called cloudflare[.]solutions.
Spotted in April last year, Cloudflare[.]solutions can be cryptocurrency mining malware in addition to also can be not at all related to network management in addition to also cybersecurity firm Cloudflare. Since the malware used the cloudflare[.]solutions domain to initially spread the malware, the idea has been given This particular name.
The malware was updated in November to include a keylogger. The keylogger behaves the same way as in previous campaigns in addition to also can steal both the site’s administrator login page in addition to also the website’s public facing frontend.
If the infected WordPress site can be an e-commerce platform, hackers can steal much more valuable data, including payment card data. If hackers manage to steal the admin credentials, they can just log into the site without relying upon a flaw to break into the site.
The cloudflare[.]solutions domain was taken down last month, however criminals behind the campaign registered brand new domains to host their malicious scripts of which are eventually loaded onto WordPress sites.
The brand new web domains registered by hackers include cdjs[.]online (registered on December 8th), cdns[.]ws (on December 9th), in addition to also msdns[.]online (on December 16th).
Just like inside the previous cloudflare[.]solutions campaign, the cdjs[.]online script can be injected into either a WordPress database or the theme’s functions.php file. The cdns[.]ws in addition to also msdns[.]online scripts are also found injected into the theme’s functions.php file.
The number of infected sites for cdns[.]ws domain include some 129 websites, in addition to also 103 websites for cdjs[.]online, according to source-code search engine PublicWWW, though over a thousand sites were reported to have been infected by the msdns[.]online domain.
Researchers said the idea’s likely of which the majority of the websites have not been indexed yet.
“While these brand new attacks do not yet appear to be as massive as the original Cloudflare[.]solutions campaign, the reinfection rate shows of which there are still many sites of which have failed to properly protect themselves after the original infection. the idea’s possible of which some of these websites didn’t even notice the original infection,” Sucuri researchers concluded.
If your website has already been compromised with This particular infection, you will require to remove the malicious code by theme’s functions.php in addition to also scan wp_posts table for any possible injection.
Users are advised to change all WordPress passwords in addition to also update all server software including third-party themes in addition to also plugins just to be on the safer side.