Malicious JavaScript used in WP site / home URL redirects

Our team recently found a malicious JavaScript injection in WordPress index.php theme file on a compromised WordPress website which ultimately redirects site visitors to a fraudulent giveaway survey website. As of this writing, we have seen over two thousand new infected sites since we started tracking this infection.

The injection seen below is used to start a series of chained redirects involving the malicious domains. go to second2[.]com, adsformarket[.]com, advertising location[.]com, and admarketresearch[.]X Y Z.

injection involved in a series of redirects

A second URL statistical[.]advertising location[.]com / clockwork? & se_referrer = or track[.]admarketresearch[.]xyz /? track & se_referrer = is then loaded into the redirect chain and delivers the final malicious JS payload to the victim’s infected website.

Editing WordPress theme-editor.php files

malicious modification of wordpress files

Unfortunately for website owners, this malicious JavaScript payload is capable of making other changes to existing WordPress theme files (line 31-33) through the /wp-admin/theme-editor.php file. This allows them to inject additional malware, such as PHP backdoors and hacking tools, into other theme files so that they can continue to maintain unauthorized access to the infected website.

We encourage website owners to turn off primary folder editing to prevent hackers from inserting malicious files or inclusions as part of WordPress’ security hardening and security best practices.

Malicious behavior and redirects

Attackers also change residence and Site url defined in the wp_options chart. This causes site visitors to be redirected to malicious websites affiliated with the attacker and is probably one of the first red flags of malicious behavior.

You can view the malicious code by using the /wp-admin/options-general.php make these changes to lines 77-81 below.

malicious behavior and redirects

This same JavaScript payload includes a redirect that uses the location.replace method to exchange the URL.

Conditional checks and obfuscation techniques

Attackers create a variable with the name ijmjg and use the function String.fromCharCode () to hide the malicious redirect URL in UTF-16 code units format, rather than ASCII characters. They also add comments using / *unnecessary text* / as an evasion technique to further conceal the obfuscation so that someone cannot easily find the text string in the files.

Function Check one () is responsible for checking whether the visitor loading the payload has a “_connected“cookie and if they request the payload from a / wp-admin Url. If these conditions are met, the JavaScript function location.replace is used to redirect the visitor to the malicious redirect URL stored in the ijmjg variable. We can expect this variable to change with future variants of the malware.

conditional checks and obfuscation techniques

Another interesting discovery is the creation of fake plugin directories which contain other malware and can also be generated by the abuse of / wp-admin / features, namely downloading Zip *: French compressed files using the /wp-admin/includes/plugin-install.php file to download and unzip the fake plugin compressed into / wp-content / plugins /.

The two most common fake plugin directories that we have seen created with this malware are /wp-content/plugins/supersociall/supersociall.php and /wp-content/plugins/blockspluginn/blockspluginn.php

Scope and mitigation measures

Our team noticed a surge in the number of infections related to this malicious JavaScript code during the third week of January 2020. It was found to exploit several plug-in vulnerabilities, including vulnerable versions of Simple Fields. and the CP contact form with PayPal.

The domain go to second2[.]com appears to be the domain with the oldest registration date and was registered on December 14, 2019. And the most recent registered domain that we have blacklisted so far is adsformarket[.]com which was recorded on January 17, 2020.

We expect attackers to continue to register new domains – or take advantage of existing unused domains – as more and more security providers blacklist domains used in this infection.

If you believe that your website has been infected with this malicious JavaScript code and is serving unwanted redirects to site visitors, you can use our free remote site scanner to detect the malware.

Websites that have identified malware in their environments can benefit from our guide on how to remove malware from a hacked WordPress site – and we’re always happy to help you clean up an infection.

Previous How to Change Your LinkedIn Profile Picture: Step-by-Step Guide
Next 10 Ways URL Analysis & Enrichment Can Help Alleviate Your SOC's Challenges in 2020