WordPress can be hit with two malicious plugins that can create unwanted pop-ups and pop-unders

Two malicious plugins are used in a new way to infect WordPress. Plugins injectbody and injectscr can be used to inject obfuscated scripts that can create an unwanted pop-up and pop-unders when a user clicks anywhere on an infected web page. Both plugins have very similar functionality

Plugin Location

• injectbody.php: 2146 bytes (the plugin code)
• inject.txt: 2006 bytes (injected JavaScript)

• injectscr.php: 1319 bytes (the plugin code)
• inject.txt: 3906 bytes (injected JavaScript)

Plugin Code Files

The plugins include functions to hide their existence: injectscr_hide and injectbody_hide. These functions are used to remove the malicious plugins from the list of active plugins. Cybercriminals are the only ones who can log into WordPress using the malicious admin users INJECTBODY__ADMIN or INJECTSCR__ADMIN, or use legitimate admin credentials and append “?INJECTBODY__ADMIN=1” or “?INJECTSCR__ADMIN=1” GET parameters in the URL are able to detect the presence of these malicious plugins on an infected website.

Injected scripts
Once a website has been infected, the hidden injectbody plugin begins injecting an obfuscated script into a website page:
var _0xc3ce=[“\x32\x20\x35\x3D\x7B\x61\x3A\x27…removed for brevity… new RegExp(_0xc3ce[7]+ _0xf262x5(_0xf262x3)+ _0xc3ce[7],_0xc3ce[8]),_0xf262x4[_0xf262x3])}};return _0xf262x1}(_0xc3ce[0],27,27,_0xc3ce[3][_0xc3ce[2]](_0xc3ce[1]),0,{}))
It adds a Viglink ad script with the “ca8b3984fdf6c76dc2fe3325feb58eba” key to a page.

The injectscr plugin injects a similar obfuscated script:
var _0x3fdb=[“\x39\x20\x62\x28\x6B\x29\x7B\x33\x20…removed for brevity…new RegExp(_0x3fdb[8]+ _0x3e49x5(_0x3e49x3)+ _0x3fdb[8],_0x3fdb[9]),_0x3e49x4[_0x3e49x3])}};return _0x3e49x1}(_0x3fdb[0],62,63,_0x3fdb[3][_0x3fdb[2]](_0x3fdb[1]),0,{}))

The script adds a handler that opens a popup window with the following URL: hxxp://1aqy.xn--o1aqy[.]xn--p1ai/stats/fri.php?affid=79803 which creates a chain of ad redirects.
When the popup is opened, the script sets the “clickund_expert=1” cookie for one hour and removes itself from the click event handler.

Log Analysis
Our team had analyzed the logs of infected websites, and discovered that the cyber criminals added the plugins after they had logged into WordPress dashboard: – – [08/Feb/2018:10:02:38 -0500]
“GET https://infected_site/wp-login.php HTTP/1.1” 200 4571 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:50.0) Gecko/20100101 Firefox/793A” – – [08/Feb/2018:10:02:41 -0500]
“POST https://infected_site/wp-login.php HTTP/1.1” 302 – “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:50.0) Gecko/20100101 Firefox/793A” – – [08/Feb/2018:10:02:43 -0500]
“GET https://infected_site/wp-admin/plugin-install.php HTTP/1.1” 200 83955 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:50.0) Gecko/20100101 Firefox/793A” – – [08/Feb/2018:10:02:49 -0500]
“POST https://infected_site/wp-admin/update.php?action=upload-plugin HTTP/1.1” 200 32291 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:50.0) Gecko/20100101 Firefox/793A” – – [08/Feb/2018:10:02:55 -0500]
“GET https://infected_site/wp-admin/plugins.php?action=activate&plugin=injectscr%2Finjectscr.php&_wpnonce=e22822dda4 HTTP/1.1” 302 – “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:50.0) Gecko/20100101 Firefox/793A” – – [09/Feb/2018:02:59:18 -0500]
“GET https://infected_site/wp-login.php HTTP/1.1” 200 4565 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:50.0) Gecko/20100101 Firefox/7003” – – [09/Feb/2018:02:59:20 -0500]
“POST https://infected_site/wp-login.php HTTP/1.1” 302 – “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:50.0) Gecko/20100101 Firefox/7003” – – [09/Feb/2018:02:59:22 -0500]
“GET https://infected_site/wp-admin/plugin-install.php HTTP/1.1” 200 83025 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:50.0) Gecko/20100101 Firefox/7003” – – [09/Feb/2018:02:59:26 -0500]
“POST https://infected_site/wp-admin/update.php?action=upload-plugin HTTP/1.1” 200 31747 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:50.0) Gecko/20100101 Firefox/7003” – – [09/Feb/2018:02:59:30 -0500]
“GET https://infected_site/wp-admin/plugins.php?action=activate&plugin=injectscr%2Finjectscr.php&_wpnonce=0c451eb625 HTTP/1.1” 302 – “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:50.0) Gecko/20100101 Firefox/7003”

All plugin installation requests are automated. It takes only 10-20 seconds to install and activate the plugins fully.

For better protection against this plugins, please follow this steps:

1. Don’t rely on what you see in the WordPress admin interface. Inspect wp-content/plugins manually, If a malicious plugin is located located, remove wp-content/plugins/inject body/ and wp-content/plugins/injectscr/.
2. Cybercriminals must be logged into WordPress to install the plugins. This means they have your credentials, do the following to stay safe
2.1. Change all WordPress passwords
2.2. Review the list of users, delete any users with the following logins: INJECTBODY__ADMIN or INJECTSCR__ADMIN

3. Make sure your site is not infected with older types of malware associated with these same attackers – or any other malware, also look for any backdoors because this frequently contribute to website reinfections.
4. Always use a cybersecurity solution like antivirus or firewall on the device that you use for accessing your site, an unprotected device could have keyloggers on it, and this is how the cybercriminals managed to steal credentials.

Download CyberByte antivirus for Mac directly from the Apple Mac Appstore

Regular users are the most affected by malware this day because most of them do not care about what antivirus they have installed in their systems.
Users can download antivirus developed by our company directly by clicking the download banner from the end of the page.
Our free download antivirus can help users to protect their Mac or Windows devices against malware and adware.
We offer a free antivirus one day license to all our users who want to test the full power of our antivirus solution.
Our antivirus can detect a vast spectrum of threats, from dangerous malware to nasty browsers extensions used for mining the crypto-currency.

The antivirus our company is offered is a certified product of OPSWAT.

Most of the companies don't care about cybersecurity until they suffer a breach.
A healthy company must perform a penetration test from time to time. The penetration test must execute against all the assets of the company, including the workers who are the most vulnerable to the social engineering attacks.
A penetration test can be done either by a security specialist from inside of the company or by hiring an external cyber security company who can take care of everything.
Besides penetration test, a company must have a minimum healthy cybersecurity system installed like antivirus or firewall.
CyberByte company can perform various penetration tests on all the spectrum of PCI/DSS compliance to the red team, perimeter testing, and social engineering.
We also provide services to employee profiling and cyber threat monitoring, since most of the data breaches this day come from the inside of the company.
To check our penetration test services go to the Services tab from the main menu.

Windows users can download free antivirus solution CyberByte by clicking the banner. The free antivirus will help you to know if your PC is infected. Windows free antivirus of CyberByte is an awarded software for malware detection.

Mac / MacOS / OS X users can download free Mac antivirus solution CyberByte by clicking the banner. The free antivirus will help you to know if your Mac is infected. MacOS / OS X free antivirus of CyberByte is an awarded software for malware detection. The free antivirus for Mac is available for new MacOS and older OS X versions.

Features of CyberByte™ antivirus:

  • Protects you from all kind of threats
  • CyberByte™ custom detection engine includes Mac and Windows malware protection and detection
  • Fastest scanning times in the market
  • Crypto Mining rogue extensions/malware detection
  • Ransomware detection - don’t negotiate with ransomware cyber terrorists – keep your Mac and Windows safe
  • Active live protection from background
  • Certified Threat Detector by OPSWAT
  • Easy to Install
  • Easy to Manage
  • Incredible value for money

Invisible, protecting you from behind the scenes - You will not feel it is installed on your computer, easy on the resources, like a protection software should be.

Original technology that combines behavioral heuristic analysis with powerful signatures database – the CyberByte™ Protection Engine  delivers top of the line protection in an instant.

Fastest scanning times in the market – your time is precious, but also so is your digital life – CyberByte™ delivers fast scanning saving both time and your valuable data.

Don’t negotiate with ransomware cyber terrorists – keep your Mac safe and don’t ever end up paying for what is already yours.

Protect others as well – the CyberByte™ Protection Engine  not only detects the threat but stops it from spreading to other Macs or Windows machines.

Don’t let strangers use your resources – more than 80% of the attacks are crypto mining driven. Are you sure your computer is not mining for crypto while you read this text?

Our malware protection will continuously look after your device providing the best security against viruses. Give us the chance to prove it by downloading the antivirus for your device.

CyberByte Antivirus is a certified product by OPSWAT (OPSWAT is a San Francisco-based software company that provides solutions to secure and manage IT infrastructure. Founded in 2002, OPSWAT delivers solutions that provide manageability of endpoints and networks, and that help organizations protect against
zero-day attacks by using multiple antivirus engine scanning and document sanitization.
To learn more about OPSWAT’s innovative and unique solutions, please visit http://www.opswat.com).

CyberByte Antivirus comes in two flavors:
MacOS Version - the free download Mac antivirus available on our website (https://mac.cyberbyte.org)
Windows Version - the free download Windows antivirus available on our website (https://pc.cyberbyte.org)

The procedure is simple:
Just free download antivirus from CyberByte website either for Mac or Windows.
Install it using the antivirus installer package.
Windows and Mac users will free malware scan their devices. The scan duration depends on how many files the end user has.
CyberByte antivirus will show if any files are infected after the scan is finished.



We started to offer the most secured web hosting and hosting service, bringing the hosting services at next level.