The Wordfence Threat Intelligence and Site Cleaning teams have been tracking a malware campaign that redirects all site visitors to malvertising domains, while attempting to keep site administrators unaware of the infection. Since June 1, 2021, the number of sites we are tracking that have been infected with this malware has more than doubled, and we expect this campaign to continue gaining momentum as it relies on a mechanism that is difficult to block directly.

Jetpack is one of the most popular plugins in the WordPress repository, and it has a dizzying array of features that require users to connect their sites to a WordPress.com account. One of these features allows users that are logged in to WordPress.com to perform administrative tasks, including plugin installation, on sites that are connected to WordPress.com via Jetpack.

Unfortunately this means that if the credentials for a WordPress.com account are compromised, an attacker can login to that WordPress.com account and install arbitrary plugins on the connected WordPress site no matter where it is hosted. This includes the malicious plugin used in this campaign. We’ve written about this intrusion vector in the past, and it is regaining popularity due to a number of recent data breaches from other services.

To clarify, no data breach has occurred at WordPress.com itself. However, password reuse is incredibly common, and credentials obtained from recent data breaches are likely to grant access to a number of WordPress.com user accounts. Additionally, although it is possible to configure Jetpack to allow direct login to a site via WordPress.com credentials, this setting does not need to be enabled in order for a site to be vulnerable. All that is required is that a site be connected to a WordPress.com account that has compromised credentials.

What should I do?

If you use Jetpack, you should turn on 2-Factor authentication at WordPress.com. While we strongly recommend using a mobile app or security key for this, even SMS-based 2-Factor authentication is significantly more secure than relying on passwords alone.

If you use the same password for your WordPress.com account that you’ve used for any other service, change your WordPress.com password immediately.

If your site has been compromised, we’ve published a guide that is useful to help you clean your WordPress site with Wordfence. Restoring from a recent backup can definitely be an option if you can identify the last known clean backup. Reviewing your log files can help.

If you’d like support in restoring your site to functionality, our Site Cleaning team can help. All Wordfence site cleaning customers receive a Wordfence Premium license key to protect the site going forward as well as a one-year guarantee. If the site is compromised again after recommendations are followed, we’ll clean it again for free.

Indicators of Compromise

The majority of infections we’ve seen have the following plugin and filenames:

wp-content/plugins/Plugin/plug.php
wp-content/plugins/plugs/plugs.php
wp-content/plugins/Builder/Builder.php

The most common MD5 hashes associated with this campaign are:

8378f4e6c5d3941f00c70715713ce299
e7138bb2cd788dfba7ccfdc43e81065f
1288a440de78d25860809dde12f1dfa5
a5a0e5ab2381d5dedff1e91480d2b5d4
256e92647f880ad60f381a5a9cf66be7

These malicious plugins check to see if the site visitor is on the login page, or if they are logged in as an administrator. Any visitor that doesn’t meet these criteria will then be redirected to one of several dozen malicious punycode domains.

We have listed the domains associated with the most prevalent variant:

xn--i1abh6c[.]xn--p1ai
xn--80adzf[.]xn--p1ai
xn--o1aofd[.]xn--p1ai
xn--g1aey4a[.]xn--p1ai
xn--80ady8a[.]xn--p1ai
xn--g1asqf[.]xn--p1ai

Conclusion

In today’s article, we covered a malware campaign targeting sites connected to WordPress.com via the JetPack plugin. As this campaign depends on compromised WordPress.com credentials, it is not possible to block this type of attack directly, but that doesn’t mean there’s nothing you can do.

At this time we recommend that all site owners using the Jetpack plugin enable 2-factor authentication for their WordPress.com accounts, and change their WordPress.com passwords if they are using a password that has been used for any other service. If you do not actively use Jetpack, you should disconnect your site from WordPress.com or deactivate the Jetpack plugin.

Special thanks to Security Analyst Charles Sweethill for tracking this issue and assisting with the article.