Sucuri security experts reported that more than 5,500 WordPress sites have been infected with a piece of malware which is capable of logging user input.
This infection is part of an April campaign which was analyzed by the security experts. According to them, the websites were infected with a piece of malware named cloudflare.solutions. At that time, the malware packed cryptominers, and now it is adding keyloggers to the mix.
At present, the cloudflare.solutions malware is present on 5,496 websites, and it looks like the number keeps increasing.
Being injected, the Cloudflare[.]solutions scripts are added to a queue to WordPress sites that use the theme’s function.php, and a fake CloudFlare domain is used in the URLs. Then, one of the URLs loads a copy of a legitimate ReconnectingWebSocket library. After that, the main page of the domain claims that “the server is part of an experimental science machine learning algorithms project.”
To track the infected sites, a cors.js script which is used there loads the Yandex.Metrika (Yandex’s alternative to Google Analytics).
In addition, the experts found two cdnjs.cloudflare.com URLs with long hexadecimal parameters, with both of them belonging to CloudFlare. Nevertheless, these are not legitimate and one of them doesn’t even exist – it’s a link to payloads delivered in the form of hexadecimal numbers after the question mark in the URLs.
The purpose of the script is to decode the payloads and inject the result into the websites, which results in the malicious keylogger.
“This script adds a handler to every input field on the websites to send its value to the attacker (wss://cloudflare[.]solutions:8085/) when a user leaves that field,” the Sucuri researchers say.
In case the WordPress site has some ecommerce functionality, the keylogger lets the attackers steal payment details embedding a checkout form, as well as login credentials. Besides, the cloudflare[.]solutions keylogger can be injected to login pages as well.
Due to the fact that the malicious code is hidden in the function.php file of the WordPress theme, removing the add_js_scripts function and the add_action clauses which mention add_js_scripts should prevent the attack.
“Given the keylogger functionality of this malware, you should consider all WordPress passwords compromised so the next mandatory step of the cleanup is changing the passwords (actually it is highly recommended after any site hack),” the Sucuri team states.
Considering the fact that cloudflare.solutions injects coinhive cryptocurrency miner scripts to the sites, the admins are strongly advised to check their websites for some other infections.