Hacked WordPress sites use visitors' browsers to hack other sites

Hacked WordPress sites use visitors39 browsers to hack other sites

Hackers launch large-scale attacks on WordPress sites to inject scripts that force visitors' browsers to brute-force passwords to other sites.

The campaign was first spotted by cybersecurity firm Sucuri, which tracks a threat actor known for breaching websites to inject crypto wallet-dispersing scripts.


Crypto wallet leaks are malicious scripts that steal all cryptocurrencies and assets when someone accesses their wallet.

When people visit these compromised sites, the scripts display misleading messages to convince users to connect their wallets to the site. However, when they do this, the scripts steal all the contained assets.

These scenarios have become very common over the past year, with threat actors creating fake Web3 sites with wallet drains. They then hack X accounts, create YouTube videos, or remove Google and X ads to promote the sites and steal visitors' cryptocurrency.

Sucuri researchers reported that threat actors are breaching compromised WordPress sites to inject the AngelDrainer wallet leak through multiple channels from multiple URLs, the latest being “dynamiclink(.)lol/cachingjs/turboturbo.js.'

In late February, the threat actor moved from wallet leaks to hijacking visitors' browsers to brute force other WordPress sites. using a malicious script from a newly registered domain 'dynamic-linx(.)com/chx.js'.

Building a brutal army

According to a new report from Sucuri, a threat actor is using compromised WordPress sites to load scripts that force visitors' browsers to perform brute force attacks on other sites for account credentials.

A brute force attack is when a threat actor tries to access an account by using different passwords to guess the correct one. Using credentials, a threat actor can steal data, inject malicious scripts, or encrypt files on a website.

READ  WordPress Developer Docs Showcases New Blocks-Based Remodel – WP Tavern

As part of this hacking campaign, threat actors compromise a WordPress website to inject malicious code into HTML templates. When visitors access the site, the scripts are loaded into their browser from https://dynamic-linx(.)com/chx.js.

These scripts will allow the browser to quietly connect to the threat actor's server, “https://dynamic-linx(.)com/getTask.phpto get a password brute strength task.

This task comes in the form of a JSON file that contains the bruteforce attack parameters: ID, website URL, account name, a number indicating the current batch of passwords, and one hundred passwords to try.

An example of a brute force JSON task
Source: BleepingComputer

After receiving the task, the script will force the visitor's browser to quietly upload a file using the WordPress site's XMLRPC interface, using the account name and passwords in the JSON data.

If the password is correct, the script will notify the threat actor's server that a password for the site has been found. The hacker can then connect to the site to retrieve the downloaded file, which contains a base64-encoded username and password pair.

A script that causes the browser to brute force a site's credentials
Source: BleepingComputer

As long as the page remains open, the malicious script will cause the web browser to reconnect to the attacker's server several times and pick up a new task to perform.

According to the HTML source code search engine PublicHTML, there are currently more than 1,700 websites compromised by these scripts or their loaders, providing a huge pool of users who will be unwittingly conscripted into this distributed brutal army.

CronUp researcher German Fernandez was found that the website of the Association of Private Banks of Ecuador was compromised during this campaign, acting as a conduit for unsuspecting visitors.

It is unclear why threat actors have switched from injecting crypto wallets to brute force other sites. However, Sucuri believes it is necessary to build a more extensive portfolio of sites from which to launch larger-scale attacks, such as crypto-mining attacks.

“Most likely, they realized that with their scale of infection (~1000 compromised sites) crypto-scatters are still not very profitable,” concluded Sucuri researcher Dennis Sinegubko.

“Also, they attract too much attention and their domains get blocked quite quickly. So, it seems reasonable to change the truck to something more stealthy, which at the same time can help increase their portfolio of compromised sites for future waves of infections. be able to monetize in one way or another.”


Leave a Reply

Your email address will not be published. Required fields are marked *