Keylogger Campaign Hits Over 2,000 WordPress Sites

[LASER_oneXM]

Security researchers have discovered over 2,000 WordPress sites —possibly more— infected with a keylogger that's being loaded on the WordPress backend login page and a cryptojacking script (in-browser cryptocurrency miner) on their frontends.

Researchers have tied these newly discovered infected sites to a similar operation that took place in early December 2017.

The attack is quite simple. Miscreants find unsecured WordPress sites —usually running older WordPress versions or older themes and plugins— and use exploits for those sites to inject malicious code into the CMS' source code.

The malicious code includes two parts. For the admin login page, the code loads a keylogger hosted on a third-party domain. For the site's frontend, crooks load the Coinhive in-browser miner and mine Monero using the CPUs of people visiting the site.

Attackers active since April 2017
As mentioned before, this campaign has been going on since April 2017, and for most of 2017, miscreants were busy embedding banner ads on the hacked sites and loading Coinhive cryptojacking scripts disguised as fake jQuery and Google Analytics JavaScript files.

It was only in December when this group moved to the more devious practice of collecting admin credentials via a keylogger.