According to findings from Sucuri, malicious JavaScript injections are being used by threat actors to conduct brute-force attacks against WordPress sites.
These attacks, in the form of distributed brute-force attacks, target innocent site visitors’ browsers to compromise WordPress websites, as reported by security researcher Denis Sinegubko.
This activity is part of a previously documented attack wave where compromised WordPress sites were employed to inject crypto drainers like Angel Drainer or redirect visitors to Web3 phishing sites with drainer malware.
The latest version of this attack does not load a drainer but instead uses a list of common and leaked passwords to brute-force other WordPress sites, with injections identified on over 700 sites so far.
The attack consists of five stages, allowing threat actors to leverage compromised sites to execute distributed brute-force attacks against potential victims:
- Getting a list of target WordPress sites
- Extracting real author usernames from those domains
- Injecting malicious JavaScript code into already infected WordPress sites
- Launching distributed brute-force attacks on the target sites when visitors arrive on the compromised sites
- Gaining unauthorized access to the target sites
Sinegubko explained that for each password in the list, visitors’ browsers send wp.uploadFile XML-RPC API requests to upload a file with encrypted credentials. If authentication is successful, a small text file with valid credentials is created in the WordPress uploads directory.
While the reason for switching from crypto drainers to distributed brute-force attacks is unclear, profit motives are suspected, as compromised WordPress sites offer various monetization opportunities.
Furthermore, drainers have caused substantial losses in digital assets, with Scam Sniffer data indicating losses amounting to hundreds of millions in 2023.
The recent discovery also highlights threat actors exploiting a critical vulnerability in the WordPress plugin 3DPrint Lite (CVE-2021-4436) to deploy the Godzilla web shell for persistent remote access.
Another campaign, SocGholish, is distributing JavaScript malware to WordPress websites using modified versions of legitimate plugins, aiming to trick visitors into downloading remote access trojans for future ransomware attacks.