July 1, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Coper Banking Trojan – Active IOCs
October 22, 2024SideWinder APT Group aka Rattlesnake Targeting Pakistan – Active IOCs
October 22, 2024Coper Banking Trojan – Active IOCs
October 22, 2024SideWinder APT Group aka Rattlesnake Targeting Pakistan – Active IOCs
October 22, 2024
Severity
High
Analysis Summary
Malicious plugins that propagate information-stealing malware by displaying phony software updates and errors are being installed on WordPress websites by threat actors.
Since compromised credentials are being used to infiltrate networks and steal data, information-stealing malware has become a global scourge for security defenders in recent years. Since 2023, a malicious campaign known as ClearFake has been used to spread information-stealing malware by displaying phony web browser update banners on breached websites.
A new campaign named ClickFix was launched in 2024; it is quite similar to ClearFake, but it poses software error warnings with remedies attached. These "fixes" are PowerShell scripts that, when run, will download and install malware that steals data. This year, ClickFix campaigns—in which threat actors compromise websites to display banners displaying fictitious faults for Google Chrome, Google Meet conferences, Facebook, and even captcha pages—have been more prevalent.
Researchers revealed last week that the ClearFake/ClickFix threat actors had infiltrated more than 6,000 WordPress websites to install malicious plugins that show the phony alerts linked to these campaigns. These ostensibly genuine plugins are made to look innocuous to website administrators, but they include malicious scripts that trick users into updating their browsers. Some of the malicious plugins use generic, made-up names, while others use names that seem close to those of genuine plugins, such as Wordfence Security and LiteSpeed Cache. Between June and September 2024, the following list of malicious plugins was observed during this campaign:
Additionally, a phony plugin called "Universal Popup Plugin" is included in this campaign, according to researchers. Once installed, the malicious plugin will inject a malicious JavaScript script into the site's HTML via hooking different WordPress actions, depending on the variant. When this script is launched, it will try to load another malicious JavaScript file that is stored in a Binance Smart Chain (BSC) smart contract. The ClearFake or ClickFix script will then be loaded in order to display the bogus banners.
According to an analysis of web server access logs, the threat actors seem to be using credentials that were obtained to access the WordPress website and automatically install the plugin. The threat actors enter in without first accessing the site's login page—rather, they log in with a single POST HTTP request. This suggests that it is being carried out automatically after the credentials have already been acquired. The threat actor uploads and installs the malicious plugin after logging in.
The researchers point out that the threat actors may be acquiring the credentials through phishing, information-stealing malware, and brute force operations, however, it is unclear how they are doing it. Users should check the list of installed plugins right away and remove any that they did not install themselves if they are a WordPress organization and are getting reports of phony notifications being shown to visitors. If you discover unidentified plugins, you should also change the admin users' passwords right away to a special one that is only used on your website.
Impact
- Information Theft
- Unauthorized Access
Indicators of Compromise
Domain Name
- ajsdiaolke.shop
- daslkjfhi2.lol
- dais7nsa.pics
- md928zs.shop
- mdasidy72.lol
- mdasidy72.mom
- ndas8m92.shop
- ndm2398asdlw.shop
- peskpdfgif.shop
- skibidirizz.lol
- smolcatkgi.shop
- x99y.xyz
Remediation
- Block all threat indicators at your respective controls.
- Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Enhance the security of your WordPress site by implementing two-factor authentication.
- Keep your WordPress core and all installed plugins up to date.
- Conduct regular security audits of your WordPress site.
- Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets.
- Maintain daily backups of all computer networks and servers.
- Keep all software, operating systems, and applications updated with the latest security patches.
- Continuously monitor network and system logs for unusual or suspicious activities.
- Review and secure website code to prevent open redirect vulnerabilities.
- Educate all site administrators about security best practices and the potential risks associated with phishing emails, fake security advisories, and malicious plugins.