Over 1,000 WordPress Sites Infected with JavaScript Backdoors Enabling Persistent Attacker Access

Over 1,000 websites powered by WordPress have been infected with a third-party JavaScript code that injects four separate backdoors.

“Creating four backdoors facilitates the attackers having multiple points of re-entry should one be detected and removed,” c/side researcher Himanshu Anand said in a Wednesday analysis.

The malicious JavaScript code has been found to be served via cdn.csyndication[.]com. As of writing, as many as 908 websites contain references to the domain in question.

✔ Approved From Our Partners

Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.

Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).

➤ Activate Your Coupon Code

The functions of the four backdoors are explained below –

• Backdoor 1, which uploads and installs a fake plugin named “Ultra SEO Processor,” which is then used to execute attacker-issued commands
• Backdoor 2, which injects malicious JavaScript into wp-config.php
• Backdoor 3, which adds an attacker-controlled SSH key to the ~/.ssh/authorized_keys file so as to allow persistent remote access to the machine
• Backdoor 4, which is designed to execute remote commands and fetches another payload from gsocket[.]io to likely open a reverse shell

To mitigate the risk posed by the attacks, it’s advised that users delete unauthorized SSH keys, rotate WordPress admin credentials, and monitor system logs for suspicious activity.

The development comes as the cybersecurity company detailed another malware campaign has compromised more than 35,000 websites with malicious JavaScript that “fully hijacks the user’s browser window” to redirect site visitors to Chinese-language gambling platforms.

“The attack appears to be targeting or originating from regions where Mandarin is common, and the final landing pages present gambling content under the ‘Kaiyun’ brand.

The redirections occur through JavaScript hosted on five different domains, which serves as a loader for the main payload responsible for performing the redirects –

• mlbetjs[.]com
• ptfafajs[.]com
• zuizhongjs[.]com
• jbwzzzjs[.]com
• jpbkte[.]com

The findings also follow a new report from Group-IB about a threat actor dubbed ScreamedJungle that injects a JavaScript code-named Bablosoft JS into compromised Magento websites to collect fingerprints of visiting users. More than 115 e-commerce sites are believed to be impacted to date.

The injected script is “part of the Bablosoft BrowserAutomationStudio (BAS) suite,” the Singaporean company said, adding it “contains several other functions to collect information about the system and browser of users visiting the compromised website.”

It’s said that the attackers are exploiting known vulnerabilities affecting vulnerable Magento versions (e.g., CVE-2024-34102 aka CosmicSting and CVE-2024-20720) to breach the websites. The financially motivated threat actor was first discovered in the wild in late May 2024.

“Browser fingerprinting is a powerful technique commonly used by websites to track user activities and tailor marketing strategies,” Group-IB said. “However, this information is also exploited by cybercriminals to mimic legitimate user behavior, evade security measures, and conduct fraudulent activities.”

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.