Wordfence researchers from the Defiant Threat Intelligence team note in the post that there is nothing particularly new about this scheme per se. Certainly, TechGenix has reported on plenty of malvertising campaigns in the past as well as other WordPress security problems. What did catch researchers’ attention, however, was the code itself and their in-depth analysis (with actual code samples) is highly recommended by this journalist.
Major points made about the malvertising code are found in the following post excerpt:
The majority of the XSS injection attempts tracked across this campaign were sent by IP addresses linked to popular hosting providers. With attacks sourced from IPs hosting several live websites, as well as our own evidence of infected sites associated with this campaign, it’s likely the threat actor is using infected sites to deliver XSS attacks by proxy.
In the infected site we had access to, we identified a few PHP shells which would have been capable of performing these attacks. These were fairly common types of webshells, and didn’t feature custom code specifically built to deliver XSS attempts, but could receive arbitrary commands from the attacker to launch the attacks... This campaign is ongoing. We expect the threat actors will be quick to leverage any similar XSS vulnerabilities that may be disclosed in the near future. Be sure to check your WordPress sites for any available plugin and theme updates frequently. Even if an update’s changelog doesn’t mention a security fix, it’s possible the developer neglected to disclose the nature of the patch.
Featured image: Pxhere