Once inside a WordPress site the JS redirects visitors at first to four malicious sites, gotosecond2[.]com, adsformarket[.]com, admarketlocation[.]com, and admarketresearch[.]xyz. Next the URL statistic[.]admarketlocation[.]com/clockwork?&se_referrer= or track[.]admarketresearch[.]xyz/?track&se_referrer= is loaded onto the compromised site which delivers the final malicious JS payload.
Below is a technical detail of the attack.
The injection seen below is used to begin a chained series of redirects involving the malicious domains gotosecond2[.]com, adsformarket[.]com, admarketlocation[.]com, and admarketresearch[.]xyz.
A second URL statistic[.]admarketlocation[.]com/clockwork?&se_referrer= or track[.]admarketresearch[.]xyz/?track&se_referrer= is then loaded in the redirection chain and delivers the final malicious JS payload to the victim’s infected website.
Modification of WordPress theme-editor.php Files
We encourage website owners to disable the modification of primary folders block hackers from inserting malicious files or includes as part of WordPress security hardening and security best practices.
Malicious Behavior and Redirects
The attackers also change home and siteurl defined in the wp_options table. This causes site visitors to be redirected to malicious websites affiliated with the attacker, and is likely one of the first red flags of malicious behavior.
You can see the malicious code using the /wp-admin/options-general.php to make these modifications on lines 77-81 below.
Conditional Checks & Obfuscation Techniques
The attackers create a variable with the name ijmjg and use the function String.fromCharCode() to hide the malicious redirect URL in UTF-16 code units format, rather than ASCII characters. They also add comments using /*someuselesstext*/ as an evasion technique to further conceal the obfuscation so that someone cannot easily search the files for the text string.
Another interesting find is the creation of fake plugin directories that contain further malware and can also be generated through the attacker’s abuse of /wp-admin/ features, namely uploading zip compressed files using the /wp-admin/includes/plugin-install.php file to perform the upload and unzipping of the compressed fake plugin into /wp-content/plugins/.
The two most common fake plugin directories we’ve seen created alongside this malware are /wp-content/plugins/supersociall/supersociall.php and /wp-content/plugins/blockspluginn/blockspluginn.php