More than 5,000 WordPress websites plagued with Keylogger

Read Time1 Minute, 57 Second

WordPress is one of the most used platforms in the world with more than 75 million websites using its content management system (CMS), and that is good enough reason for hackers to target WordPress-based websites.

Old Malware New Capabilities

Recently, researchers at website security platform Sucuri discovered that 5,500 WordPress websites are infected with malware that was initially identified in April this year as Cloudflare.solutions. At that time, the malware had cryptomining capabilities, but now, it is equipped with keyloggers.

The malware works in such a way that it exploits functions.php file used by WordPress themes. It queues Cloudflare[.]solutions scripts and uses a fake CloudFlare domain in the URLs who loads a copy of a legitimate ReconnectingWebSocket library.

What Has Changed Since April

Previously when researchers identified the fake domain; its homepage displayed the message “This Server is part of Cloudflare Distribution Network, ” but the new message claims “This server is part of an experimental science machine learning algorithms project.”

Another change identified by researchers is the cors.js script. Upon decoding, there is no outright suspicious code like those banner images in the previous version. However, the script loads Yandex.Metrika, Yandex’s alternative to Google Analytics.

Furthermore, Sucuri researchers found two fake CloudFlare domains, one of which contains long hexadecimal parameters. These domains might look legitimate, but one of those domains does not exist while the other one (cdnjs.cloudflare.com) delivers payloads that are hexadecimal numbers after the question mark in the URLs. Moreover, the script according to researchers decodes and injects the result into web pages making it a keylogger.