WordPress hit with keylogger, 5,400 sites infected
WordPress hit with keylogger, 5,400 sites infected

The cryptomining malware that has been pushed from cloudflare.solutions since earlier this year has been modified with the addition of keylogger functionality to its mix with PublicWWW reporting that more than 5,400 Wordpress sites are now infected.

The keyloggers are set to steal a variety of data types including basic WordPress login data, but if the WordPress site is an e-commerce platform the criminals can get away with much more valuable payment data.

Cloudflare.solutions malware was first discovered in April and Sucuri noted in a November blog that in addition to cryptocurrency mining it had been updated to include a keylogger and that is is now on at least 5,492 WordPress sites. Sucuri said the new functionality has not changed how the malware is injected, but other changes were noted.

“The first change is the main page of this domain now says: ‘This server is part of an experimental science machine learning algorithms project' instead of ‘This Server is part of Cloudflare Distribution Network,'” wrote Denis Sinegubko, a senior malware researcher at Sucuri.

The creators have also altered the cors.js script so when it is decoded there is no outright suspicious code like those banner images in the previous version, he said.

Another give away that there is something amiss in the code is the inclusion of two long hexadecimal parameters that come after two cdnjs.cloudflare.com URLs. The URLs are fakes and are just there to obfuscate the fact that the hexadecimals are actually keyloggers.

The keyloggers are tuned to grab anything typed into one of WordPresses various information boxes used for both login and, as stated previously, online payments.

Sinegubko suggested that after any such attack users should consider all WordPress passwords compromised and change them just to be safe.

“As we already mentioned, the malicious code resides in the function.php file of the WordPress theme. You should remove the add_js_scripts function and all the add_action clauses that mention add_js_scripts,” he recommended to fully mitigate the issue.