This month we noticed a very interesting variant of this infection. While still related to the same vulnerability on the same outdated versions of Newspaper and Newsmag themes, the malware has been designed to both inject malvertising and take over a WordPress website completely. At the moment, PublicWWW service reports over a thousand sites infected with this latest version of the malware.
Symptoms of the Infection
Infected websites are redirecting to other websites with spammy domains like 3cal1ingc0nstant31112123[.]tk or 1sthelper31212123[.]tk (they frequently change). In addition to the redirect, a new rogue admin user “simple001” is created on the infected websites, which give hackers full access to the sites.
eval(String.fromCharCode(118, 97, 114, 32, 115, 115, 99,redacted...)
Here is a piece of the decoded code that creates the rogue admin user:
Typical Attack Scenario
This intermediary redirect URL starts a chain of redirects to scam and ad sites. The next step in that redirect chain are disposable, frequently changed .tk domain with “tech support” related terms and random numbers like 3cal1ingc0nstant31112123[.]tk or techsupport60512123456[.]tk.
Important note: In this infection, rogue user creation only works if the visitor is logged in as a WordPress admin. The malicious code runs when an admin user visits web pages outside of the WordPress admin interface (e.g. to verify changes).
Unfortunately, since this infection is related to a software vulnerability, strong passwords and security plugins will not protect you.
If you’re using an outdated TagDiv themes like Newspaper or Newsmag and you suspect that your website might be infected, you can verify through our free SiteCheck scanner. Update the themes to patch the vulnerability, then inspect your blog for suspicious users. We also advise that you test your settings, change your passwords, and scan your server for any backdoors that may have been left behind.
Outdated software is still one of the main factors of infection/hacking cases. We always recommend that users check for rogue users and keep their CMS, plugins and themes up to date. A website firewall can also help prevent this type of attack.
Do you believe that your website has been compromised? We’re always here to help.