Sucuri researchers have uncovered what they described as a massive WordPress redirecting campaign targeting vulnerable tagDiv themes and Ultimate Member plugins.
The main contributors to the infections are the two-year-old vulnerability in tagDiv's themes and the newly discovered vulnerability in a popular Ultimate Member plugin, which boasts 100,000+ active installations, according to an Aug. 22 blog post.
“When redirected, users see annoying pages with random utroro[.]com addresses and fake reCAPTCHA images,” researchers said in the post. “The messages and content try to convince visitors to verify and subscribe to browser notifications without disclosing the purpose of this behavior.”
The tagDiv themes vulnerability was patched shortly after it was discovered in 2017 and the Ultimate Member plugin was recently patched on Aug. 9, 2018. Many of the attacks spotted in the wild before the patches were issued.
Threat actors probed the WordPress sites for the Ultimate Member plugin and then used the vulnerability to upload a fake image, usually an image file with added PHP code. The hackers then used this file to create a backdoor to inject a variety of malicious code into files on the server.
“Every few days, hackers return and reuse the n.php backdoor (or upload a new one) to reinfect websites with a new revision of the malicious code,” researchers said in the post. “Because of the poor quality of the injector, you may find different versions of the malware sitting in the same file.”
The attack is carried out by malware scripts injected from one of two sites with one being used in the initial stages of the campaigns and the other being introduced about a week later.
Researchers were able to analyze both malicious scripts due to poor coding on behalf of the threat actors who didn't remove the previously injected code when they reinjected the websites with the new version of the malware.
Researchers said successful infections will be limited to files that belong to one server account. However, if the account has more than one site, all the sites will be infected even if they don't have the Ultimate Member plugin or any vulnerable components adding that non-WordPress sites can also be infected in this process.
In order to prevent infection researchers are instructed to ensure they update all themes and plugins, clean and harden all the sites that share the same server account, and delete all PHP files in subdirectories in case of Ultimate Member exploitation.