Our team recently found a malicious JavaScript injection in WordPress index.php theme file on a compromised WordPress website which ultimately redirects site visitors to a fraudulent giveaway survey website. As of this writing, we have seen over two thousand new infected sites since we started tracking this infection.
The injection seen below is used to start a series of chained redirects involving the malicious domains. go to second2[.]com, adsformarket[.]com, advertising location[.]com, and admarketresearch[.]X Y Z.
A second URL statistical[.]advertising location[.]com / clockwork? & se_referrer = or track[.]admarketresearch[.]xyz /? track & se_referrer = is then loaded into the redirect chain and delivers the final malicious JS payload to the victim’s infected website.
Editing WordPress theme-editor.php files
Unfortunately for website owners, this malicious JavaScript payload is capable of making other changes to existing WordPress theme files (line 31-33) through the /wp-admin/theme-editor.php file. This allows them to inject additional malware, such as PHP backdoors and hacking tools, into other theme files so that they can continue to maintain unauthorized access to the infected website.
We encourage website owners to turn off primary folder editing to prevent hackers from inserting malicious files or inclusions as part of WordPress’ security hardening and security best practices.
Malicious behavior and redirects
Attackers also change residence and Site url defined in the wp_options chart. This causes site visitors to be redirected to malicious websites affiliated with the attacker and is probably one of the first red flags of malicious behavior.
You can view the malicious code by using the /wp-admin/options-general.php make these changes to lines 77-81 below.
This same JavaScript payload includes a redirect that uses the location.replace method to exchange the URL.
Conditional checks and obfuscation techniques
Attackers create a variable with the name ijmjg and use the function String.fromCharCode () to hide the malicious redirect URL in UTF-16 code units format, rather than ASCII characters. They also add comments using / *unnecessary text* / as an evasion technique to further conceal the obfuscation so that someone cannot easily find the text string in the files.
Function Check one () is responsible for checking whether the visitor loading the payload has a “_connected“cookie and if they request the payload from a / wp-admin Url. If these conditions are met, the JavaScript function location.replace is used to redirect the visitor to the malicious redirect URL stored in the ijmjg variable. We can expect this variable to change with future variants of the malware.
Another interesting discovery is the creation of fake plugin directories which contain other malware and can also be generated by the abuse of / wp-admin / features, namely downloading Zip *: French compressed files using the /wp-admin/includes/plugin-install.php file to download and unzip the fake plugin compressed into / wp-content / plugins /.
The two most common fake plugin directories that we have seen created with this malware are /wp-content/plugins/supersociall/supersociall.php and /wp-content/plugins/blockspluginn/blockspluginn.php
Scope and mitigation measures
Our team noticed a surge in the number of infections related to this malicious JavaScript code during the third week of January 2020. It was found to exploit several plug-in vulnerabilities, including vulnerable versions of Simple Fields. and the CP contact form with PayPal.
The domain go to second2[.]com appears to be the domain with the oldest registration date and was registered on December 14, 2019. And the most recent registered domain that we have blacklisted so far is adsformarket[.]com which was recorded on January 17, 2020.
We expect attackers to continue to register new domains – or take advantage of existing unused domains – as more and more security providers blacklist domains used in this infection.
If you believe that your website has been infected with this malicious JavaScript code and is serving unwanted redirects to site visitors, you can use our free remote site scanner to detect the malware.
Websites that have identified malware in their environments can benefit from our guide on how to remove malware from a hacked WordPress site – and we’re always happy to help you clean up an infection.