Hackers have been using stolen credentials to target WordPress sites with malicious fake plugins, spreading malware and infostealers to unsuspecting users through fake browser update prompts. This new variant of the ClickFix fake browser update malware has already infected over 6,000 sites with fake WordPress plugins since June 2024, adding to the more than 25,000 compromised sites since August 2023, as reported by the GoDaddy security team.
The attackers behind this campaign have not exploited any known vulnerabilities within the WordPress ecosystem but instead have gained access to legitimate WordPress admin credentials for each compromised site. The fake plugins installed by the hackers are designed to look harmless to website administrators but could prompt site visitors with fake browser updates and other malicious messages.
These fake plugins inject malicious JavaScript code that contains a variation of fake browser update malware known as EtherHiding, which uses blockchain and smart contracts to deliver malicious payloads. When executed in the browser, this JavaScript code presents users with fake browser update notifications that guide them to install malware on their devices, including remote access trojans (RATs) and info stealers like Vidar Stealer and Lumma Stealer.
The fake plugins have generic names like “Advanced User Manager” and “Quick Cache Cleaner” and only contain three small files in their directories: index.php, .DS_Store, and a -script.js file with a variation of the plugin’s name. The naming schemes of these malicious plugins have led to the discovery of additional ones, each with its injected script.
The attackers manipulate the wp_enqueue_scripts hook to load a harmful script from the plugin directory into WordPress pages, keeping the underlying code deliberately simplistic to avoid detection. The presence of .DS_Store files in these fake plugins can serve as an indicator of compromise, with specific MD5 and SHA 256 hashes associated with them.
The GoDaddy advisory speculates that the stolen WordPress admin credentials may have been obtained through brute-force attacks, phishing campaigns, or malware infections on the website admins’ computers. Implementing multi-factor authentication and other access controls, like device ID and location verification, could help protect against the misuse of stolen credentials in such attacks.
Overall, this malicious campaign highlights the importance of safeguarding WordPress sites and being cautious of fake plugins and update prompts. Website administrators and users alike should stay vigilant and implement security measures to prevent falling victim to these types of cyber threats.