We’ve been following an ongoing malware campaign for the past couple of years now. This campaign is renowned for its prompt addition of exploits for newly discovered WordPress theme and plugin vulnerabilities.
Every other week, the attackers introduce new domain names and slightly change the obfuscation of their scripts to prevent detection. For example, last week they started using URLs on the following domains:
* dns.createrelativechanging[.]com (Creation Date: 2019-09-19)
* bes.belaterbewasthere[.]com (Creation Date: 2019-09-21)
To provide more context, you can find additional posts following the evolution of this malware campaign below.
Plugins Under Attack – Labs Notes & Blog Articles:
Examples of the Latest Injections
Here’s a request used in a recent attack on the vulnerable versions of the Rich Reviews plugin.
It injects the following script into vulnerable websites.
We’re also seeing another variation being injected into the custom_css section of vulnerable sites using the Blog Designer plugin.
In this case, we find a more elaborate obfuscation method that uses random variable names and comments inside the character code array.
XSS and Redirect
The injection fetches the content from https://dns.createrelativechanging[.]com/publicity/souce.js?c=sdlkfjfhgfcw&type=1&pgn and runs it as code of a “todo” function, which pretends to be doing nothing but adding x to y.
The script executes an XSS exploit code for logged in users, which attempts to change the siteurl and home options. Users that aren’t logged in are simply redirected to push notification scam sites, such asredrelaxfollow[.]com or greenrelaxfollow[.]com.
These two types of obfuscation were clearly not enough for the bad actors, however. We’ve also noticed a number of other obfuscation methods used in this new wave of campaign.
On some sites, we see injected code similar to the previous sample, which loads content from https://bes.belaterbewasthere[.]com/trans/downtape.js with an additional layer of String.fromCharCode obfuscation.
Looking at this code, it’s clear that there is a bug in it. There is an array of char codes, but no String.fromCharCode function that will decode it into an executable text.
At the time of writing, we already see 89 sites with this buggy code indexed by PublicWWW.
The fact that their malware isn’t working doesn’t mean that webmasters should ignore this threat, however. It’s presence proves that the site is vulnerable and the next infection attempt will most likely be successful.
Any website compromise is a sign that you need to remove the malware and harden your site as soon as possible. To mitigate threats, we encourage site owners to make sure that all of their themes and plugins are up to date with the latest patches and security updates.
In the event that you can’t regularly monitor or update your website’s software, you can use a web application firewall (WAF) to virtually patch known vulnerabilities.