WordPress Websites Targeted in Large-Scale JavaScript-Based Backdoor Attack

Cybersecurity researchers have identified a large-scale infection campaign affecting over 1,000 WordPress-powered websites. Attackers have injected malicious third-party JavaScript that installs multiple backdoors, allowing them to maintain persistent access to compromised sites.

Multiple Backdoors for Persistence

The attack, first observed by c/side researcher Himanshu Anand, involves four separate backdoors embedded within the infected sites. These backdoors ensure attackers maintain multiple entry points even if one is discovered and removed.

The malicious JavaScript is served via the domain cdn.csyndication[.]com, which has been found on at least 908 compromised websites.

Here’s a breakdown of the four backdoors identified in the attack:

• Backdoor 1: Installs a fake WordPress plugin called Ultra SEO Processor, which is then used to execute remote commands issued by the attackers.

• Backdoor 2: Injects malicious JavaScript into the wp-config.php file, a critical configuration file for WordPress installations.

• Backdoor 3: Adds an attacker-controlled SSH key to the ~/.ssh/authorized_keys file, enabling remote access even if WordPress credentials are changed.

• Backdoor 4: Executes remote commands and retrieves another payload from gsocket[.]io, likely to establish a reverse shell for full system access.

Mitigation and Security Recommendations

To prevent further infections and minimize risk, website administrators should take the following security measures:

• Remove Unauthorized SSH Keys: Ensure that only trusted SSH keys are authorized for remote access.

• Change Admin Credentials: Immediately reset WordPress admin usernames and passwords to prevent unauthorized access.

• Monitor System Logs: Regularly check server logs for unusual activity, particularly for connections to known malicious domains.

• Audit Installed Plugins: Verify all installed WordPress plugins and remove any suspicious or unauthorized plugins, such as Ultra SEO Processor.

A Parallel Campaign: Gambling Redirects

This discovery comes alongside another massive cyberattack that has compromised over 35,000 websites, using JavaScript to hijack user sessions and redirect visitors to Chinese-language gambling websites.

According to researchers, the malicious redirection campaign is heavily associated with the "Kaiyun" brand and appears to be targeting users in Mandarin-speaking regions.

The redirections occur through JavaScript hosted on five different domains, acting as loaders for the final payload that executes the redirects:

• mlbetjs[.]com

• ptfafajs[.]com

• zuizhongjs[.]com

• jbwzzzjs[.]com

• jpbkte[.]com

Expanding the Threat: Magento Fingerprinting

In addition to these WordPress attacks, a separate but related campaign has been identified targeting Magento-based e-commerce websites. A threat actor known as ScreamedJungle has been injecting JavaScript code, referred to as Bablosoft JS, into compromised Magento websites.

The script is part of the Bablosoft BrowserAutomationStudio (BAS) suite and is designed to fingerprint users visiting these compromised e-commerce sites. The malware gathers detailed browser and system information, which can then be used for fraudulent activities, account takeovers, and other cybercriminal operations.

Attackers are actively exploiting known vulnerabilities in Magento, including:

• CVE-2024-34102 (CosmicSting exploit)

• CVE-2024-20720

The financially motivated cybercriminals behind this campaign were first observed in May 2024, and over 115 e-commerce websites have been impacted so far.

The Growing Threat of JavaScript-Based Attacks

JavaScript-based cyberattacks are becoming increasingly common, as attackers leverage the language’s ability to execute code within browsers, steal sensitive data, and manipulate web sessions without requiring direct system access.

Final Thoughts

With WordPress and Magento being widely used for website development and e-commerce, these attacks highlight the growing need for proactive website security.

To defend against such threats, organizations and website owners should:

• Regularly update CMS platforms and plugins to patch vulnerabilities.

• Scan for malicious JavaScript injections using security monitoring tools.

• Implement security plugins to detect unauthorized changes to core WordPress and Magento files.

• Deploy Web Application Firewalls (WAFs) to filter and block malicious traffic before it reaches the site.

As attackers refine their techniques and target more high-traffic websites, staying vigilant and adopting robust cybersecurity practices will be crucial to minimizing risk and preventing financial and reputational damage.