WordFence: The ongoing malvertising campaign is evolving. Cybercrime add backdoors and target new plugins to inject malicious JavaScript into sites. It redirects to harmful content, as malware droppers and fraud sites

The ongoing malvertising campaign on WordPress is evolving, adds backdoors and targets new plugins. It has been denounced by WordFence cyber security experts. Cybercrime is distributing redirect and popup code through a number of public vulnerabilities affecting the blogging platform ecosystem. Much of the campaign remains identical since July. Known vulnerabilities in WordPress plugins are exploited to inject malicious JavaScript into the frontends of victim sites, which causes the sites’ visitors to be redirected to potentially harmful content like malware droppers and fraud sites. Where possible, the payloads are obfuscated in an attempt to avoid detection by WAF and IDS software. However, some new indicators of compromise (IOCs) have been linked to this campaign.

The cyber security experts: The plugins currently under attack are Bold Page Builder, Blog Designer, Live Chat with Facebook Messenger, Yuzo Related Posts, Visual CSS Style Editor, WP Live Chat Support, Form Lightbox, and Hybrid Composer

During the initial investigation, WordFence identified the attacks coming from a number of IP addresses linked to web hosting providers. Shortly after that post, most of the IPs involved ceased the activity. One, however, has continued the attacks. This is 104.130.139.134, a Rackspace server currently hosting some presumably compromised websites. The cyber security experts have reached out to Rackspace to inform them of this activity, in hopes that they will take action in preventing further attacks from their network. Furthermore the WordPress malvertising campaign has been targeting a number of known vulnerabilities, and new are added to the list of targets as cybercrime discovered. Of particular note is a recently disclosed flaw in the Bold Page Builder plugin. The plugins currently under attack are Bold Page Builder, Blog Designer, Live Chat with Facebook Messenger, Yuzo Related Posts, Visual CSS Style Editor, WP Live Chat Support, Form Lightbox, and Hybrid Composer.

Malvertising campaign picks up new targets over time. Furthermore, cybercrime added an additional script to ones triggered malicious redirects or unwanted popups, which attempts to install a backdoor into the target site by exploiting an administrator’s session

Moreover, the WordPress malvertising campaign picks up new targets over time. It’s reasonable to assume any unauthenticated XSS or options update vulnerabilities disclosed in the near future will be quickly targeted by this threat actor. To boost attacks, cybercrime added an additional script to ones triggered malicious redirects or unwanted popups, which attempts to install a backdoor into the target site by exploiting an administrator’s session. The code is responsible for attempting to create a new user with administrator privileges on the victim’s site. After checking for a cookie to determine if the given visitor has triggered the payload before, a function is executed in order to test if that visitor is capable of creating new users, which would be the case if a logged-in administrator views an affected page.