Thousands of WordPress sites infected with a Keylogger and cryptocurrency miner scripts

Nearly 5,500 WordPress websites are infected with a malicious script that logs keystrokes and in some loads a cryptocurrency miner in the visitors’ browsers.

The experts from security firm Sucuri observed that that malicious script is being loaded from the “cloudflare.solutions” domain, that anyway is not linked with Cloudflare.

According to PublicWWW, this malicious script version is currently active on 5,496 sites.

The script running on compromised WordPress websites logs anything that visitors type inside form fields.

“We also mentioned a post written back in April that described the cloudflare.solutionsmalware, which came along with the cryptominers. At this moment, PublcWWW reports there are 5,482 sites infected with this malware. It seems that this evolving campaign is now adding keyloggers to the mix.” reads the analysis published by Sucuri.

The script is a serious threat especially for WordPress installs configured to run as online stores, in these cases attackers can log credit card data and personal user details.

“This script adds a handler to every input field on the websites to send its value to the attacker (wss://cloudflare[.]solutions:8085/) when a user leaves that field.” continues the analysis.

According to Sucuri experts, the threat actors behind this hacking campaign are active at least since April 2017. Sucuri has tracked at least three different malicious scripts hosted on the same cloudflare.solutions domain across the months.

The first attack leveraging on these scripts was observed in April when hackers used a malicious JavaScript file to embed banner ads on hacked sites.

In November, experts from Sucuri reported the same attackers were loading malicious scripts disguised as fake jQuery and Google Analytics JavaScript files that were actually a copy of the Coinhive in-browser cryptocurrency miner. By November 22, the experts observed 1,833 sites compromised by the attackers.

Back to the present, the script that was discovered on the compromised WordPress sites still includes in-browser cryptocurrency miner abilities and it also includes the keylogger component.

The malicious script resides in the function.php file of the WordPress theme, this means that it is possible to neutralize it by removing the add_js_scripts function and all the add_action clauses that refer add_js_scripts.

“As we already mentioned, the malicious code resides in the function.php file of the WordPress theme. You should remove the add_js_scripts function and all the add_action clauses that mention add_js_scripts.” concludes the anaysis.

“Given the keylogger functionality of this malware, you should consider all WordPress passwords compromised so the next mandatory step of the cleanup is changing the passwords (actually it is highly recommended after any site hack).”

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Cryptocurrency, Keylogger)

[adrotate banner=”5″]

[adrotate banner=”13″]