The Sucuri team said access is gained to WordPress sites through plugin vulnerabilities, including Simple Fields and CP Contact Form with PayPal. A large uptick in this activity was picked up during the third week of January.
Once inside a WordPress site the JS redirects visitors at first to four malicious sites, gotosecond2[.]com, adsformarket[.]com, admarketlocation[.]com, and admarketresearch[.]xyz. Next the URL statistic[.]admarketlocation[.]com/clockwork?&se_referrer= or track[.]admarketresearch[.]xyz/?track&se_referrer= is loaded onto the compromised site which delivers the final malicious JS payload.
This last delivery is quite problematical as it allows the attacker to make additional changes to the site or bring in more malware such as PHP backdoors and hacktools, to help them maintain persistence.
“We encourage website owners to disable the modification of primary folders block hackers from inserting malicious files or includes as part of WordPress security hardening and security best practices,” Sucuri suggested.