Hackers are using stolen credentials to infect WordPress sites with bogus plugins that deliver malware and infostealers to end users via fake browser update prompts.
The malicious campaign, based on a new variant of the ClickFix fake browser update malware, has infected more than 6,000 sites with fake WordPress plugins since June 2024. Overall, ClickFix has now compromised more than 25,000 sites since August 2023, according to the GoDaddy security team.
Fake WordPress Plugins Tap Stolen Credentials
No known vulnerabilities are being exploited to deliver the bogus plugins; the hackers simply seem to be using stolen credentials.
“Log analysis reveals that the installation of counterfeit WordPress plugins did not directly exploit any known vulnerabilities within the WordPress ecosystem,” the GoDaddy advisory said. “Instead, attackers possessed legitimate WordPress admin credentials for each compromised site.”
The plugins are “designed to appear harmless to website administrators,” but site visitors could be shown fake browser updates and other malicious prompts.
The plugins inject malicious JavaScript that contains “a known variation of fake browser update malware that uses blockchain and smart contracts to obtain malicious payloads,” known as EtherHiding. When executed in the browser, the JavaScript delivers fake browser update notifications that guide users to install malware on their machines, typically remote access trojans (RATs) or info stealers like Vidar Stealer and Lumma Stealer.
Fake WordPress Plugins: Details and IoCs
The fake plugins use generic names such as “Advanced User Manager” or “Quick Cache Cleaner,” and their directories contain only 3 small files: index.php, .DS_Store, and a -script.js file with a variation typically based on the name of the plugin.
Those naming schemes led to the discovery of other malicious plugins:
Plugin name | Injected script |
Admin Bar Customizer | admin-bar-customizer/abc-script.js |
Advanced User Manager | advanced-user-manager/aum-script.js |
Advanced Widget Manage | advanced-widget-manage/awm-script.js |
Content Blocker | content-blocker/cb-script.js |
Custom CSS Injector | custom-css-injector/cci-script.js |
Custom Footer Generator | custom-footer-generator/cfg-script.js |
Custom Login Styler | custom-login-styler/cls-script.js |
Dynamic Sidebar Manager | dynamic-sidebar-manager/dsm-script.js |
Easy Themes Manager | easy-themes-manager/script.js |
Form Builder Pro | form-builder-pro/fbp-script.js |
Quick Cache Cleaner | quick-cache-cleaner/qcc-script.js |
Responsive Menu Builder | responsive-menu-builder/rmb-script.js |
SEO Optimizer Pro | seo-optimizer-pro/sop-script.js |
Simple Post Enhancer | simple-post-enhancer/spe-script.js |
Social Media Integrator | social-media-integrator/smi-script.js |
“The underlying plugin code remains deliberately simplistic to avoid raising red flags,” the advisory said. A hook for the wp_enqueue_scripts action is manipulated to load a harmful script from the plugin directory into WordPress pages.
.DS_Store is short for Desktop Services Store, hidden files that the macOS Finder application creates to store folder preferences. The fake plugin .DS_Store files don’t contain any information but can be used as an indicator of compromise (IoC):
- MD5: 194577a7e20bdcc7afbb718f502c134c
- SHA 256: d65165279105ca6773180500688df4bdc69a2c7b771752f0a46ef120b7fd8ec3
The script filenames contain identical content and can be identified by their hash:
- MD5: 602e1f42d73cadcd73338ffbc553d5a2
- SHA 256: a4ad384663963d335a27fa088178a17613a7b597f2db8152ea3d809c8b9781a0
Speculation About Stolen WordPress Credentials
The GoDaddy advisory notes that the presence of valid WordPress admin credentials suggests that the hackers used methods to obtain the credentials, such as brute-force attacks, phishing campaigns, or perhaps even malware or infostealer infections on the website admins’ computers.
The advisory didn’t say, but presumably multi-factor authentication would offer some protection against the stolen credentials being misused, along with other access controls such as device ID, health and location.