Sucuri announced that its security team found a JavaScript injection that redirects site visitors to a survey-for-gifts scam website. According to Sucuri’s blog post, at least 2,000 websites are infected with the redirect. Malicious JavaScript payload is capable of making modifications to existing WordPress theme files via the /wp-admin/theme-editor.php file. This allows them to inject additional malware, such as PHP backdoors and hack tools, to other theme files so they can continue to maintain unauthorized access to the infected website.
Injection of additional malware
The attackers also change home and siteurl defined in the wp_options table. This causes site visitors to be redirected to malicious websites affiliated with the attacker and is likely one of the first red flags of malicious behavior. The attackers create a variable with the name ijmjg and use the function String.fromCharCode() to hide the malicious redirect URL in UTF-16 code units format, rather than ASCII characters.
Another interesting finding is the creation of fake plugin directories that contain further malware and can also be generated through the attacker’s abuse of /wp-admin/ features, namely uploading zip compressed files using the /wp-admin/includes/plugin-install.php file to perform the upload and unzipping of the compressed fake plugin into /wp-content/plugins/.
The two most common fake plugin directories we’ve seen created alongside this malware are /wp-content/plugins/supersociall/supersociall.php and /wp-content/plugins/blockspluginn/blockspluginn.php.