The deceptive Cloudflare block page that signals WordPress infection
On Sep 15, we detected a malicious campaign. It was evident that the attackers we discovered were using phishing techniques to trick users into downloading a malicious binary file. They used a fake message on websites stating that a user has been blocked by Cloudflare. Meanwhile, infected websites getting the message would not necessarily even use Cloudflare services.
Nevertheless, once the user clicked on this fake popup, the binary malware was downloaded to their computer. Clicking on "Check the system" button leads to a malicious binary (sha256: fee5d6b401c6b0164da2bb7472bdd9b4914c4725d03b2029687756e21bb24dc9) downloading. Here is the download link revealed:
The archive being downloaded is only 10 MB, but the unpacked binary weighs about 700 MB. It seems evident that the attackers intentionally went for distributing the sizes of packages in such a way that these files will go under the radar and will not be uploaded to numerous online virus scanning services.
In all the cases of infection, we found an identical injection in the website files. It looks like this:
The injection is heavily obfuscated, unfortunately, but it can be discovered if one looks for the following pattern:
This code, after being executed, injects another malicious script into the source code of the page:
The code shown above loads the HTML code of the fake Cloudflare form using the following url:
Upon discovering this infection, we went for an investigation. After examining the web server logs, we found out that the hackers used the very same method in all of the registered cases.
For this attack to start, the hacker needs to have access to the compromised WordPress administrator account. After successful authorization, the attacker needs to install the wp-file-manager plugin.
188.8.131.52 - - [15/Sep/2022:08:55:44 -0400] "POST /wp-login.php HTTP/2.0" 302 - "https://victim/wp-login.php" "Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0"
184.108.40.206 - - [15/Sep/2022:08:55:54 -0400] "POST /wp-admin/admin-ajax.php HTTP/2.0" 200 193 "https://victim/wp-admin/plugin-install.php?s=file+manager&tab=search&type=term" "Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0"
220.127.116.11 - - [15/Sep/2022:08:56:42 -0400] "POST /wp-admin/admin-ajax.php HTTP/2.0" 200 279 "https://victim/wp-admin/admin.php?page=wp_file_manager" "Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0"
In all of the cases we registered, the IP address from witch this attack was carried out was the same: 18.104.22.168.
Indicators of Compromise
How to protect your website from infection
Please consider following these steps:
- Update the software on a regular basis.
- Use 2FA and strong passwords
- Deploy a firewall (Imunify360 protection).
The Imunify team cares about your infrastructure security. We always strive to keep you up-to-date with all the information necessary to protect your website and make sure that your business runs smoothly at all times. Please don't hesitate to address any questions you have about protecting your website from malicious activity to our Imunify360 support team.