Researchers at Sucuri who made the discovery said the recent campaign is tied to threat actors behind a December 2017 campaign. Both incidents used a keylogger/cryptocurrency malware called cloudflare[.]solutions. The name is derived from the domain used to serve up the malicious scripts in the first campaign, cloudflare[.]solutions.
Cloudflare[.]solutions is in no way related to network management and security firm Cloudflare.
The attack is quite simple. Miscreants find unsecured WordPress sites —usually running older WordPress versions or older themes and plugins— and use exploits for those sites to inject malicious code into the CMS’ source code.
Attackers use injection scrips on WordPress sites with weak or outdated security. “The cdjs[.]online script is injected into either a WordPress database (wp_posts table) or into the theme’s functions.php file,” Sinegubko wrote.
The malicious code includes two parts. For the admin login page, the code loads a keylogger hosted on a third-party domain. For the site’s frontend, crooks load the Coinhive in-browser miner and mine Monero using the CPUs of people visiting the site.
“While these new attacks do not yet appear to be as massive as the original cloudflare[.]solutions campaign, the reinfection rate shows that there are still many sites that have failed to properly protect themselves after the original infection,” wrote Denis Sinegubko, a senior malware researcher at Sucuri who authored research blog this week.
For the late-2017 campaign, crooks loaded their keylogger from the “cloudflare.solutions” domain. Those attacks affected nearly 5,500 WordPress sites but were stopped on December 8 when the registrar took down the miscreants’ domain.