More than 1,000 websites that utilize the WordPress platform have been compromised by a malicious third-party JavaScript code, resulting in the injection of four separate backdoors.
According to c/side researcher Himanshu Anand, “The presence of four backdoors allows attackers to maintain multiple points of re-entry, making it more challenging to completely remove their access, even if one backdoor is detected and eliminated,” as stated in a recent analysis.
The malicious JavaScript code is being served from the domain cdn.csyndication[.]com. Currently, 908 websites have been found to contain references to this domain.
The following is an explanation of the functions of the four backdoors:
- Backdoor 1: Uploads and installs a fake plugin named “Ultra SEO Processor” to execute attacker-issued commands.
- Backdoor 2: Injects malicious JavaScript into the wp-config.php file.
- Backdoor 3: Adds an attacker-controlled SSH key to the ~/.ssh/authorized_keys file to enable persistent remote access to the machine.
- Backdoor 4: Executes remote commands and fetches another payload from gsocket[.]io to likely establish a reverse shell.
To minimize the risk posed by these attacks, users are advised to delete unauthorized SSH keys, rotate WordPress admin credentials, and monitor system logs for suspicious activity.
This development comes as a cybersecurity company reported another malware campaign compromising over 35,000 websites with malicious JavaScript that “fully hijacks the user’s browser window” to redirect visitors to Chinese-language gambling platforms.
The attack appears to be targeting regions where Mandarin is commonly spoken, and the final landing pages display gambling content under the ‘Kaiyun’ brand.
The redirections occur through JavaScript hosted on five different domains, serving as a loader for the main payload responsible for the redirects:
- mlbetjs[.]com
- ptfafajs[.]com
- zuizhongjs[.]com
- jbwzzzjs[.]com
- jpbkte[.]com
A recent report from Group-IB also revealed a threat actor known as ScreamedJungle that injects a JavaScript code named Bablosoft JS into compromised Magento websites to collect fingerprints of visiting users, impacting over 115 e-commerce sites to date.
The injected script is part of the Bablosoft BrowserAutomationStudio (BAS) suite, which contains several functions to collect information about the system and browser of users visiting the compromised website, according to the Singaporean company, which reported that the attackers are exploiting known vulnerabilities affecting vulnerable Magento versions (e.g., CVE-2024-34102 aka CosmicSting and CVE-2024-20720) to breach the websites.
The financially motivated threat actor was first discovered in the wild in late May 2024 and has been using browser fingerprinting, a technique commonly used by websites to track user activities and tailor marketing strategies, but also exploited by cybercriminals to mimic legitimate user behavior, evade security measures, and conduct fraudulent activities.
