Rewterz Threat Alert – Compromised WordPress Websites Leveraging Visitors’ Browsers to Breach Other Sites – Active IOCs

Severity

High

Analysis Summary

Cybercriminals are targeting WordPress websites to inject scripts that make visitors’ browsers to brute-force passwords to compromise other websites. This new campaign has been linked to a threat actor infamous for hijacking websites for injecting scripts to drain crypto wallets and steal cryptocurrency.

When someone visits these compromised websites, the injected scripts will display misleading prompts and messages to lure the unsuspecting users into connecting their wallets to the website, resulting in the scripts stealing all the crypto assets. These kinds of scripts have become common since last year among threat actors, who create fraudulent Web3 websites containing wallet drainers. Afterward, they compromise X accounts, take out X and Google advertisements, or create YouTube videos to promote the fake sites.

Cybersecurity researchers have reported that the attacker was using compromised WordPress websites to inject the AngelDrainer wallet drainer in widespread multiple attacks using various URLs. In February, the attacker started compromising visitors’ browsers to inject malicious scripts that would brute-force credentials of other WordPress websites. The threat actor first compromised a WordPress site as part of this campaign to inject code into the HTML templates so that when any user accesses the website, the scripts are loaded into their browsers and cause the browsers to stealthily contact the attacker’s server and retrieve a password brute-forcing command.

This task is in the form of a JSON file and contains the parameters for the brute-force attack like the website URL, an ID, a number that shows the current batch of passwords to go through, an account name, and about one hundred passwords to brute force. After the task is successfully received, the script then forces the visitor’s browser to quietly upload a file through the WordPress site’s XMLRPC interface by utilizing the account name and passwords provided in the JSON file data.

If one of the passwords turns out to be accurate, the script then notifies the attacker’s server about it. The threat actor is then able to connect to the website to receive the uploaded file that contains the base64 encoded username and password. The malicious script causes the browser to continuously connect back to the threat actor’s server as long as the page remains open to receive a new task for execution.

An alarming discovery shows that there are more than 1,700 websites that are infected with these scripts or loaders, targeting numerous users who will be unknowingly involved in this distributed brute-force attack. A researcher even found the website of Ecuador’s Association of Private Banks being compromised in this campaign and acting as a watering hole for thousands of users. It is currently not clear as to why the attackers switched to brute-forcing websites from injecting crypto wallet drainers, but it is believed to create an expanded portfolio of websites from which they can launch large-scale attacks.

Impact

• Credential Theft
• Unauthorized Access
• Code Execution

Indicators of Compromise

Domain Name

• dynamiclink.lol
• dynamic-linx.com
• billlionair.app

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Verify the domain of URLs.
• Do not download documents attached in emails from unknown sources and strictly refrain from enabling macros when the source isn’t reliable.
• Implement advanced email filtering solutions that detect and block phishing emails before they reach users’ inboxes.
• Enhance the security of your WordPress site by implementing two-factor authentication. 
• Keep your WordPress core and all installed plugins up to date.
• Conduct regular security audits of your WordPress site.
• Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets
• Maintain daily backups of all computer networks and servers.
• Keep all software, operating systems, and applications updated with the latest security patches.
• Continuously monitor network and system logs for unusual or suspicious activities.
• Review and secure website code to prevent open redirect vulnerabilities.
• Educate all site administrators about security best practices and the potential risks associated with phishing emails, fake security advisories, and malicious plugins.