The injection seen below is used to begin a chained series of redirects involving the malicious domains gotosecond2[.]com, adsformarket[.]com, admarketlocation[.]com, and admarketresearch[.]xyz.
A second URL statistic[.]admarketlocation[.]com/clockwork?&se_referrer= or track[.]admarketresearch[.]xyz/?track&se_referrer= is then loaded in the redirection chain and delivers the final malicious JS payload to the victim’s infected website.
Modification of WordPress theme-editor.php Files
We encourage website owners to disable the modification of primary folders block hackers from inserting malicious files or includes as part of WordPress security hardening and security best practices.
Malicious Behavior and Redirects
The attackers also change home and siteurl defined in the wp_options table. This causes site visitors to be redirected to malicious websites affiliated with the attacker, and is likely one of the first red flags of malicious behavior.
You can see the malicious code using the /wp-admin/options-general.php to make these modifications on lines 77-81 below.
Conditional Checks & Obfuscation Techniques
The attackers create a variable with the name ijmjg and use the function String.fromCharCode() to hide the malicious redirect URL in UTF-16 code units format, rather than ASCII characters. They also add comments using /*someuselesstext*/ as an evasion technique to further conceal the obfuscation so that someone cannot easily search the files for the text string.
Another interesting find is the creation of fake plugin directories that contain further malware and can also be generated through the attacker’s abuse of /wp-admin/ features, namely uploading zip compressed files using the /wp-admin/includes/plugin-install.php file to perform the upload and unzipping of the compressed fake plugin into /wp-content/plugins/.
The two most common fake plugin directories we’ve seen created alongside this malware are /wp-content/plugins/supersociall/supersociall.php and /wp-content/plugins/blockspluginn/blockspluginn.php
Scope & Mitigation Steps
The domain gotosecond2[.]com appears to be the domain with the oldest registration date and was registered Dec 14, 2019. And the most recent registered domain we have blacklisted so far is adsformarket[.]com which was registered on Jan 17, 2020.
We expect the attackers will continue to register new domains — or leverage existing unused domains — as more security vendors blacklist domains being used in this infection.