In recent news, threat actors have escalated their tactics by utilizing fake browser updates to distribute malware, specifically by weaponizing numerous WordPress plug-ins to deliver infostealing payloads to unsuspecting victims. This malicious campaign, known as ClickFix, has alarmed domain registrar GoDaddy, as they detected over 6,000 infected WordPress sites in just a one-day period from September 2 to September 3.
The attackers behind this campaign employed stolen WordPress admin credentials to infiltrate compromised websites with deceptive plug-ins as part of an elaborate attack chain that circumvents established vulnerabilities in the WordPress ecosystem. Denial Sinegubko, principal security engineer at GoDaddy, highlighted the insidious nature of these seemingly harmless plug-ins embedded with malicious scripts that trigger fake browser update alerts for end-users.
This campaign leverages fake WordPress plug-ins to introduce JavaScript elements that lead to ClickFix’s phony browser updates, utilizing blockchain and smart contracts to retrieve and distribute harmful payloads. By employing social engineering tactics, users are deceived into believing they are updating their browsers when, in reality, they are executing malicious code that can compromise their systems with various forms of malware and information-stealing agents.
It is noteworthy to mention that another similar cluster of fake browser update activities, known as ClearFake, was initially identified in April, targeting legitimate websites with malignant HTML and JavaScript. This campaign, which initially focused on Windows systems, later expanded its reach to macOS as well. While some researchers have linked ClickFix to ClearFake, detailed analyses have underscored significant differences between the two campaigns, implying that they are distinct activity clusters running independently.
The recent variant of ClickFix, as described by GoDaddy, disseminates counterfeit browser update malware through counterfeit WordPress plug-ins bearing generic titles like “Advanced User Manager” and “Quick Cache Cleaner.” These malevolent plug-ins are designed to appear innocuous to website administrators but are actually laden with embedded scripts that generate deceptive browser update prompts for end-users.
Moreover, GoDaddy’s investigation revealed that the plug-in metadata, including names, URLs, descriptions, versions, and authors, are entirely fabricated to deceive users without raising immediate suspicion. The campaign’s use of automation in generating plug-in names was also detected, with researchers identifying a pattern in JavaScript file names that facilitated the identification of related malicious plug-ins such as Easy Themes Manager and Content Blocker.
The automated creation of these malevolent plug-ins, coupled with their systematic naming conventions referencing non-existent GitHub repositories, underscores the complexity and scale of this malicious operation. By utilizing a common template, threat actors can swiftly produce a vast array of plausible plug-in names infused with hidden JavaScript codes, enabling them to scale their illicit activities and evade easy detection.
Although the method of how attackers obtained WordPress admin credentials for initiating the ClickFix campaign remains unclear, potential vectors such as brute-force attacks and phishing campaigns aimed at stealing legitimate login credentials have been highlighted. As the campaign’s payloads involve the installation of various infostealers on compromised systems, it is plausible that threat actors are gathering admin credentials through this method.
It is crucial for individuals to adhere to best practices in password protection and exercise caution when interacting with unfamiliar websites or messages that request sensitive information. GoDaddy has also supplied a comprehensive list of indicators of compromise (IoCs) related to the campaign in their blog post, enabling defenders to identify compromised websites and take necessary actions to mitigate the threat.