FOCUS MODE
EXTRACT IOC
Threat Research

WordPress ClickFix Malware Causes Google Warnings and Infected Computers

Sucuri
WordPress ClickFix Malware Causes Google Warnings and Infected Computers
This article discusses a recent fake Google reCAPTCHA malware campaign targeting WordPress sites that tricks users into executing malicious Powershell commands. Victims are led to click through fake prompts that eventually allow malware to infect their systems by running harmful commands, illustrating the need for enhanced security measures for both users and website administrators. Affected: WordPress, Windows OS

Keypoints :

  • A fake Google reCAPTCHA malware campaign has emerged affecting WordPress websites since December.
  • The malware tricks users into executing malicious Powershell commands within their Windows OS environments.
  • The attack requires users to perform specific tasks leading to a command being copied into the clipboard without their knowledge.
  • A notable malicious command instructs users to access a URL using the mshta command, posing as a fix for DNS issues.
  • The attack spreads via malicious WordPress plugins with short, random names and injections into theme code.
  • Over 5,200 websites are believed to be infected with this malware.
  • Security warnings from Google can prevent access to compromised sites, damaging their reputation.
  • Website administrators are encouraged to implement strong security practices to protect against malware attacks.

MITRE Techniques :

  • T1027 – Obfuscated Files or Information: Malicious code is obfuscated within plugins to evade detection.
  • T1056 – Input Capture: User inputs are captured through fake reCAPTCHA prompts that trick victims into executing malware.
  • T1071 – Application Layer Protocol: The malware interacts with a blockchain network for command delivery.
  • T1203 – Exploitation for Client Execution: The attack leverages user interaction with compromised websites to execute malicious commands.
  • T1573 – Encrypted Channel: The malware utilizes encrypted communication channels within the attack lifecycle.

Indicator of Compromise :

  • [URL] hxxp://83.217.208.130/xfiles/Ohio.mp4
  • [IP Address] 83.217.208.130
  • [File Name] ./wp-content/plugins/gYdWL/index.php
  • [File Name] ./wp-content/plugins/nwLKs/index.php
  • [File Name] ./wp-content/plugins/QdVYu/index.php

Full Story: https://blog.sucuri.net/2025/02/wordpress-clickfix-malware-causes-google-warnings-and-infected-computers.html

Tags: BACKDOOR, BACKUP, FIREWALL, PAYLOAD, BLOCKCHAIN, TROJAN, CRYPTO, DNS