Wikipedia Page Review Reveals Minr Malware

Since December, we’ve seen a number of websites with this funny looking obfuscated script injected at the very top of the HTML code (before the <html> tag).

This code is generated by the well-known JJEncode obfuscator, which was once quite popular for encrypting malicious code. Since its popularity dwindled a few years ago, we’ve hardly seen any new malware using it. It was definitely a surprise for us when approximately 3 months ago we noticed the JJEncode obfuscator was once again in use: Minr cryptominer began using it to obfuscate scripts that they loaded from multiple domains like web.clod[.]pw.

Continue reading Wikipedia Page Review Reveals Minr Malware at Sucuri Blog.

The post Wikipedia Page Review Reveals Minr Malware appeared first on Security Boulevard.

from Wikipedia Page Review Reveals Minr Malware

Unwanted Pop-ups Caused by Injectbody/Injectscr Plugins

On February 8th, 2018, we noticed a new wave of WordPress infections involving two malicious plugins: injectbody and injectscr. These plugins inject obfuscated scripts, creating unwanted pop-up/pop-unders. Whenever a visitor clicks anywhere on an infected web page, they are served questionable ads.

Plugin Location

The malicious plugins possess a very similar file structure:

Injectbody

wp-content/plugins/injectbody/

• injectbody.php: 2146 bytes (the plugin code)
• inject.txt: 2006 bytes (injected JavaScript)

Injectscr

wp-content/plugins/injectscr/

• injectscr.php: 1319 bytes (the plugin code)
• inject.txt: 3906 bytes (injected JavaScript)

The functionality of these plugins are also very similar.

Continue reading Unwanted Pop-ups Caused by Injectbody/Injectscr Plugins at Sucuri Blog.

The post Unwanted Pop-ups Caused by Injectbody/Injectscr Plugins appeared first on Security Boulevard.

from Unwanted Pop-ups Caused by Injectbody/Injectscr Plugins

Affiliate Cookie Stuffing in iFrames

Inline frames (iFrames) are an easy way to embed content from another site onto your own. This element allows you to insert another document inside an HTML page and can be really useful for embedding interactive applications like Google maps, advertise...

from Affiliate Cookie Stuffing in iFrames

Website Malware: Unwanted Exit to YourBrexit

Some website hacks aim to make some political statements. Defacements are well known for this. Some infections redirect visitors to scam sites that push (usually counterfeit) goods or (often illegal) services. But what would you feel if your site redirected visitors to a political news site?

This time we are talking about an attack that mainly targets UK sites and has redirected over 2 million (mostly UK) visitors to YourBrexit[.]net – a site that publishes politically-charged commentary about Brexit.

Continue reading Website Malware: Unwanted Exit to YourBrexit at Sucuri Blog.

from Website Malware: Unwanted Exit to YourBrexit

WordPress Security – Unwanted Redirects via Infected JavaScript Files

We’ve been watching a specific WordPress infection for several months and would like to share details about it.

The attacks inject malicious JavaScript code into almost every .js file it can find. Previous versions of this malware injected only jquery.js files, but now we remove this code from hundreds of infected files. Due to a bug in the injector code, it also infects files whose extensions contain “.js” (such as .js.php or .json).

Continue reading WordPress Security – Unwanted Redirects via Infected JavaScript Files at Sucuri Blog.

from WordPress Security – Unwanted Redirects via Infected JavaScript Files

Learning From Buggy WordPress Wp-login Malware

When a site gets hacked, the attack doesn’t end with the malicious payload or spam content. Hackers know that most website administrators will clean up the infection and look no further. Many go on to patch vulnerable software, change their passwords, and perform other post-hack steps. All of this is good, but hackers who follow through the sustainment phase of the attack also leave behind ways to easily reinfect the site.

After breaking into a website, hackers want to make sure they still have access if the original security hole is closed.

Continue reading Learning From Buggy WordPress Wp-login Malware at Sucuri Blog.

from Learning From Buggy WordPress Wp-login Malware