Labs Notes Monthly Recap – April/2020

In 2020, we doubled up our research efforts to report on many new attacks and hacks that we see in the wild. We believe that being informed is a big part of having a good website security posture.

Sucuri Labs provides website malware research updates directly from our teams on the front line. Our Labs Notes are usually shorter than blog posts and they focus on a highly technical audience.

This month, our Malware Research and Incident Response teams wrote about a wide variety of topics, ranging from a COVID-19 phishing lure to Magento credit card skimmers.

Face Mask Spam Links Injected in WordPress Database

by Luke Leal

WordPress websites have been used in web spam campaigns targeting coronavirus search trends. Users are redirected to spam websites.

This spam campaign has been using increased queries for COVID-19 keywords and face masks. Spam links have been injected into the widgets section of the wp_options database.

Read More

Fake License.txt File Loaded Through PHP Include

by Luke Leal

A malicious injection of a file named license.txt, in order to deceive the webmaster, was found in a PHP include of a WordPress website.

A redirect was sending visitors to a malicious website. One way you spot these attacks is by monitoring your website files daily.

Read More

Phishing with a COVID-19 Lure

by Luke Leal

A phishing lure campaign uses COVID-19 keywords to trick victims into revealing sensitive information.

This was a malicious email campaign which targeted employees of a company by impersonating an IT help desk. Under the pretense of a staff portal, victims were pulled into a scam.

Read More

Spl_autoload Backdoor

by Denis Sinegubko

Hackers created malware that allows to upload temporary backdoor files and execute them using the spl_autoload function

Even though this function is used to avoid malware scanners, the rest of the code would probably not go unnoticed.

Read More

Magento JavaScript Skimmer Targets Tarjetas de Crédito

by Luke Leal

A suspicious payment card form was showing up on a Magento ecommerce website.

Our researchers found out that a JavaScript injection was using a .click() event to display malicious forms on compromised Magento sites to steal credit card details.

Read More

Fake M-Shield WordPress Plugin

by Krasimir Konov

Our website security analyst informs us about fake WordPress plugins that hackers install on compromised sites to be able to keep their backdoors/web shells.

Even if webmasters delete the backdoors, the malicious plugins recreate them every time someone visits any page of the infected WordPress site.

Read More

Web Skimmer With a Domain Name Generator – Follow Up

by Denis Sinegubko

Our malware researcher provides an update on the Magento web skimmer campaign that uses a dynamic domain name generating algorithm.

Another variation of that malware is found, with a set of domains pre-registered for use from March through December.

Read More

WordPress Admin Login Stealer

by Krasimir Konov

A WordPress admin login stealer was found injected into wp-login.php on a WordPress website.

The WordPress login stealer intercepts credentials and sends them to attackers. This WordPress malware and its variants have been distributed and used on several websites for over a year.

Read More


*** This is a Security Bloggers Network syndicated blog from Sucuri Blog authored by Juliana Lewis. Read the original post at: https://blog.sucuri.net/2020/05/labs-notes-april-2020.html