If you are a WordPress user or just a cyber aware individual, you should have already heard about the recent hacking attacks on websites that host vulnerable tagDiv themes and Ultimate Member plugins. This post is a deeper dive that aims to add insights on the malware and analyse the redirection flow. For background and original information we recommend these great posts by Sucuri and inmotionhosting.
Malicious Redirects - Step by Step
The files targeted by this infection are jQuery.js, multiple *.php files having <head> tag in themes directory. Let's follow the traffic direction system implemented by this malware from the injection and to the final landing page.
Malware location
Infection in the PHP files:
Infection in the jQuery files:
Malware planted inside the jQuery had the same goal - load malicious content from src[.]eeduelements[.]com).
Original (encoded) injection:
Decoded jQuery injection
After decoding the PHP malware by https://malwaredecoder.com/ we got:
Injected malware performs HTTP GET request to "https[:]//src[.]eeduelements[.]com/get[.]php" that returns https[:]//polonofiex[.]ga/sim[.]js URL. HTTP GET to polonofiex[.]ga using the wget utility returns the following JavaScript code:
Decoding String.fromCharCode()
t1 variable set to "http[:]//murieh[.]space/?h=930130016_dc950a456f7_100&h_l=&h_5=sub_id_2&h_2=def_sub" which in turn would redirect to either tuniaf[.]com or valusc[.]com
Simulatings access to murieh[.]space
curl -v 'http://murieh.space/?h=930130016_dc950a456f7_100&h_l=&h_5=sub_id_2&h_2=def_sub'
* Hostname was NOT found in DNS cache
* Trying 212.32.236.8...
* Connected to murieh.space (212.32.236.8) port 80 (#0)
> GET /?h=930130016_dc950a456f7_100&h_l=&h_5=sub_id_2&h_2=def_sub HTTP/1.1
> User-Agent: curl/7.38.0
> Host: murieh.space
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
* Server nginx is not blacklisted
< Server: nginx
< Date: Thu, 30 Aug 2018 09:47:24 GMT
< Content-Type: text/html
< Content-Length: 178
< Connection: keep-alive
< Location: https://tuniaf[.]com/?h=930130016_dc950a456f7_100&h_l=&h_5=sub_id_2&h_2=def_sub
<
curl -v 'http://murieh.space/?h=930130016_dc950a456f7_100&h_l=&h_5=sub_id_2&h_2=def_sub'
* Hostname was NOT found in DNS cache
* Trying 212.32.236.8...
* Connected to murieh.space (212.32.236.8) port 80 (#0)
> GET /?h=930130016_dc950a456f7_100&h_l=&h_5=sub_id_2&h_2=def_sub HTTP/1.1
> User-Agent: curl/7.38.0
> Host: murieh.space
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
* Server nginx is not blacklisted
< Server: nginx
< Date: Thu, 30 Aug 2018 09:47:24 GMT
< Content-Type: text/html
< Content-Length: 178
< Connection: keep-alive
< Location: https://valusc[.]com/?h=930130016_dc950a456f7_100&h_l=&h_5=sub_id_2&h_2=def_sub
Protect Yourself and Your Website
Make sure all your themes and plugins are updated. Harden your website and your server account - see our post on WordPress Hardening. We are not placing here the cleanup steps as the infection can take change variants depending on the malicious campaign settings. If you need help with removing this or any other malware, and the most important with protecting your website from new attacks like the one described above, just select from our anti-malware plans.