A few months ago, we covered two injections related to the “cloudflare.solutions” malware: a CoinHive cryptominer hidden within fake Google Analytics and jQuery, and the WordPress keylogger from Cloudflare[.]solutions. This malware was originally identified by one of our analysts in April 2017 and has since evolved and spread to new domains.

Keylogger Spreads to New Domains

A few days after our keylogger post was released on Dec 8th, 2017, the Cloudflare[.]solutions domain was taken down. This was not the end of the malware campaign, however; attackers immediately registered a number of new domains including cdjs[.]online on Dec 8th, cdns[.]ws on Dec 9th, and msdns[.]online on Dec 16th.

PublicWWW has already identified relatively few infected sites: 129 websites for cdns[.]ws and 103 websites for cdjs[.]online, but it’s likely that the majority of the websites have not been indexed yet. Since mid-December, msdns[.]online has infected over a thousand websites, though the majority are reinfections from sites that have already been compromised.

Injected Scripts Used in the Attack

There are a variety of injected scripts that have been used in this attack in the past month:

hxxps://cdjs[.]online/lib.js
hxxps://cdjs[.]online/lib.js?ver=…
hxxps://cdns[.]ws/lib/googleanalytics.js?ver=…
hxxps://msdns[.]online/lib/mnngldr.js?ver=…
hxxps://msdns[.]online/lib/klldr.js

The cdjs[.]online script is injected into either a WordPress database (wp_posts table) or into the theme’s functions.php file, just like we saw in the former cloudflare[.]solutions attack.

The cdns[.]ws and msdns[.]online scripts can also be found injected into the theme’s functions.php file:

Continue Reading at Sucuri Blog