A WordPress keylogger has returned

I covered WordPress keylogger scripts served from the domain cloudflare[.]solutions in a previous article that we published. Well, the script authors are back at it again, and this time they have registered three domains to server up and control their malware.The cloudfrlare[.]solutions domain was taken down on December 8th, 2017, but later that day (cdjs[.]online), December 9th (cdns[.]ws), the next day, and December 19th (msdns[.]online) three new domain names were registered.

The Sucuri Blog has been following the activities of these miscreants for a few months and has done an excellent job at keeping on top of their movement and techniques.

According to Sucuri’s research, “PublicWWW has already identified relatively few infected sites: 129 websites for cdns[.]ws and 103 websites for cdjs[.]online, but it’s likely that the majority of the websites have not been indexed yet. Since mid-December, msdns[.]online has infected over a thousand websites, though the majority are reinfections from sites that have already been compromised.”

The key takeaway from Sucuri’s findings is that website owners remain apathetic toward or ignorant about the security of their website(s). Failure to secure your website can cause major headaches for hundreds or thousands of people that visit these infected sites.

The URL’s that have been identified that contain the malicious scripts are:

wordpress keylogger

I visited the first URL in my virtual machine through a VPN using a privacy browser to discover that there are three URLs inside the fake Google Analytics script that loads other elements.

wordpress keylogger

The first URL in the image above takes you to obfuscated code. The image below is the code in its entirety.

wordpress keylogger

The second URL from the fake Google Analytics script takes you to code that has also been obfuscated. The image below is a small sample of the code.

wordpress keylogger

The third URL in the timeout section of the first script image takes you to another Google Analytics script that starts the function of the two other scripts that have been called.

wordpress keylogger

The other script serving URL’s contain code for crypto miners in addition to the keylogger. Long story short, the scripts authors are using the same old tricks with new code from new domains. It’s imperative that website owners take responsibility for what they are putting on the Internet that they are intentionally or unintentionally leaving vulnerable.

Wordfence, a leading website firewall, has a free version available that is good enough for the majority of small to medium websites that are out there. If you combine Wordfence with Cloudflare, which also has a free level of service, you are greatly reducing the likelihood of your site being taken advantage of from incoming threats.

Another issue website owners must keep on top of is updating their plugins. Wordfence scans all plugins and will notify you if something suspicious comes up in the code and if a plugin is out of date. Outdated plugins can contain vulnerabilities that are fixed by updating. If you have plugins that are no longer developed, it’s best that you find another plugin to do what you need to do.