JavaScript Backdoors Found in Over 1,000 WordPress Sites, Allowing Ongoing Attacker Control

Hackers have infected over 1,000 WordPress-powered websites with a third-party JavaScript code that injects four separate backdoors.

“By creating four backdoors, attackers ensure multiple points of re-entry if one is detected and removed,” c/side researcher Himanshu Anand explained in a Wednesday analysis.

The malicious JavaScript code originates from cdn.csyndication[.]com. As of now, at least 908 websites contain references to this domain.

The four backdoors function as follows:

• Backdoor 1 uploads and installs a fake plugin named “Ultra SEO Processor,” which executes attacker-issued commands.
• Backdoor 2 injects malicious JavaScript into wp-config.php.
• Backdoor 3 adds an attacker-controlled SSH key to the ~/.ssh/authorized_keys file, allowing persistent remote access.
• Backdoor 4 executes remote commands and retrieves another payload from gsocket[.]io, likely to open a reverse shell.

To mitigate the risk, users should delete unauthorized SSH keys, rotate WordPress admin credentials, and monitor system logs for suspicious activity.

Meanwhile, cybersecurity researchers have also detailed another malware campaign compromising over 35,000 websites. This attack uses malicious JavaScript to “fully hijack the user’s browser window” and redirect visitors to Chinese-language gambling platforms.

“The attack appears to originate from or target regions where Mandarin is widely spoken. The final landing pages display gambling content under the ‘Kaiyun’ brand.”

The redirections occur through JavaScript hosted on five domains, which act as loaders for the main payload responsible for executing the redirects:

• mlbetjs[.]com
• ptfafajs[.]com
• zuizhongjs[.]com
• jbwzzzjs[.]com
• jpbkte[.]com

In addition, a recent Group-IB report highlights a threat actor known as ScreamedJungle, which injects a JavaScript code named Bablosoft JS into compromised Magento websites to collect user fingerprints. So far, more than 115 e-commerce sites have been affected.

The injected script is part of the Bablosoft BrowserAutomationStudio (BAS) suite. According to the Singaporean company, it “includes several other functions that gather information about the system and browser of users visiting the compromised website.”

Attackers are exploiting known vulnerabilities in outdated Magento versions (e.g., CVE-2024-34102, also known as CosmicSting, and CVE-2024-20720) to breach these websites. Researchers first identified this financially motivated threat actor in the wild in late May 2024.

“Browser fingerprinting is a powerful technique widely used by websites to track user activities and tailor marketing strategies,” Group-IB noted. “However, cybercriminals also exploit this information to mimic legitimate user behavior, bypass security measures, and carry out fraudulent activities.”

Source: TheHackerNews