After a series of critical Drupal vulnerabilities disclosed this spring, it’s not surprising to see a surge of massive Drupal infections like this one: Massive #Drupal infection that redirects to "Tech Support" scam via "js.localstorage[.]tk" https://t.co/30ZeLIyfza pic.twitter.com/ZCPMepM74k — Denis (@unmaskparasites) April 24, 2018 … with over a thousand compromised sites ... Read More

Last week, we described how an ongoing massive malware campaign began using Baidu search result links to redirect people to various ad and scam pages. It didn’t last long. Soon after the publication of that article, the bad actors changed the links to use compromised third-party sites and a couple ... Read More

The malware attack that began as an installation of malicious Injectbody/Injectscr WordPress plugins back in February has evolved since then. Some of the changes were documented asUpdates at the bottom of the original blog post, however, every week we see minor modifications in the way they obfuscate the scripts or ... Read More

A few days ago, we reported that hacked Magento sites had been pushing infostealing malware under the disguise of Flash player updates. In this post, we’ll reveal how this recent attack is related to an extremely hot topic – cryptocurrencies and cryptomining. Infostealer Analysis The malware binary files we found ... Read More

A few months ago, we reported on how cybercriminals were using GitHub to load a variety of cryptominers on hacked websites. We have now discovered that this same approach is being used to push binary “info stealing” malware to Windows computers. Infected Magento Sites Recently, we identified hundreds of infected ... Read More

Since December, we’ve seen a number of websites with this funny looking obfuscated script injected at the very top of the HTML code (before the <html> tag). This code is generated by the well-known JJEncode obfuscator, which was once quite popular for encrypting malicious code. Since its popularity dwindled a ... Read More

On February 8th, 2018, we noticed a new wave of WordPress infections involving two malicious plugins: injectbody and injectscr. These plugins inject obfuscated scripts, creating unwanted pop-up/pop-unders. Whenever a visitor clicks anywhere on an infected web page, they are served questionable ads. Plugin Location The malicious plugins possess a very ... Read More

A few months ago, we covered two injections related to the “cloudflare.solutions” malware: a CoinHive cryptominer hidden within fake Google Analytics and jQuery, and the WordPress keylogger from Cloudflare[.]solutions. This malware was originally identified by one of our analysts in April 2017 and has since evolved and spread to new ... Read More

Recently we wrote about how GitHub/GitHub.io was used in attacks that injected cryptocurrency miners into compromised websites. Around the same time, we noticed another attack that also used GitHub for serving malicious code. Encrypted CoinHive Miner in Header.php The following encrypted malware was found in the header.php file of the ... Read More

Recently, a webmaster contacted us when his AVG antivirus reported that the JS:Miner-C [Trj] infection was found on their site. Our investigation revealed a hidden iframe had been injected into the theme’s footer.php file: wpupdates.github[.]io/ping/" style="width:0;heigh:0;border:none;"> When we opened the URL in a browser, the page was blank. After checking ... Read More