WordPress logo on red background

WordPress sites are being hacked to install malicious plugins that show fake software updates and bugs to push information-stealing malware.

Over the past few years, information-stealing malware has become a scourge for security guards worldwide as stolen credentials are used to breach networks and steal data.

Since 2023, a malicious campaign called ClearFake has been used. Display fake web browser update banners. On compromised websites that distribute information-stealing malware.

In 2024, a new campaign called ClickFix was introduced that bears many similarities to ClearFake but instead pretends to be software error messages with included fixes. However, these “fixes” are PowerShell scripts that, when executed, will download and install information-stealing malware.

An example clickfix overlay feigning a Chrome error
An example ClickFix overlay is an excuse for a Chrome error
Source: Bleeping Computer

Click-fix campaigns have become increasingly common this year, with threat actors compromising sites to display banners displaying fake errors. Google Chrome, Google Meet ConferencesFacebook, and even Captcha pages.

Malicious WordPress plugins

last week, GoDaddy reported. that ClearFake/ClickFix threat actors have breached more than 6,000 WordPress sites to install malicious plugins that display fake alerts associated with these campaigns.

“The GoDaddy security team is detecting a new version of ClickFix (also known as ClearFake) fake browser update malware that is distributed via fake WordPress plugins,” explains a GoDaddy security researcher. Dennis Senegubko.

“These seemingly legitimate plug-ins are designed to appear harmless to website administrators but contain embedded malicious scripts that provide end users with fake browser update prompts.”

Malicious plugins use names similar to legitimate plugins, such as Wordfense Security and LiteSpeed ​​Cache, while others use generic, made-up names.

Here is the list of malicious plugins seen in this campaign between June and September 2024:

LiteSpeed ​​Cache Classic Custom CSS Injector
MonsterInsights Classic Custom footer generator
Wordfence Security Classic Custom login styler
Find a rank booster. Dynamic Sidebar Manager
SEO Booster Pro Easy Themes Manager
Google SEO Booster Form Builder Pro
Rank Booster Pro Quick cache cleaner
Admin bar customizer Responsive Menu Builder
Advanced User Manager SEO Optimizer Pro
Manage advanced widgets. Simple post enhancer
Content Blocker Social Media Integrator

Website Security Firm Juice Also noted that a fake plugin called “Universal Popup Plugin” is also part of this campaign.

Once installed, the malicious plugin will hook various WordPress actions that will inject malicious JavaScript script into the site’s HTML depending on the type of site.

Injected JavaScript script
Injected JavaScript script
Source: GoDaddy

When loaded, this script will attempt to load another malicious JavaScript file Binance Smart Chain (BSC) smart contractwhich then loads the ClearFake or ClickFix scripts to display the fake banners.

From web server access logs analyzed by Sinegubko, threat actors appear to be using stolen admin credentials to log into a WordPress site and automatically install plugins.

As you can see from the image below, threat actors log in via a single POST HTTP request instead of going to the site’s login page first. This indicates that this is being done automatically after credentials are already obtained.

After the threat actor logs in, they upload and install malicious plugins.

Access logs show how a WordPress site has been compromised.
Access logs show how a WordPress site has been compromised.
Source: GoDaddy

While it’s unclear how the threat actors are obtaining the credentials, the researcher notes that it could be through previous brute-force attacks, phishing, and information-stealing malware.

If you’re a WordPress operation and are receiving reports of visitors being shown fake alerts, you should immediately review your list of installed plugins, and remove any you haven’t installed yourself. .

If you find unknown plugins, you should reset any admin users’ passwords to unique passwords used only on your site.



Source link