FacebookTwitterLinkedIn

ClickFix Malware Campaign Compromises 6000 WordPress Sites

Karolis Liucveikis Written by on

A recently published article by GoDaddy's Security Team revealed that a new ClickFix malware campaign targeting vulnerable WordPress sites to deliver information-stealing malware is making the rounds. Information-stealing malware, or info stealers, is somewhat in vogue by financially motivated and state-sponsored threat actors.

ClickFix Malware Campaign Compromises 6000 WordPress Sites

ClickFix attacks appear to be a variant of ClearFake attacks, which were used to push fake updates to macOS users that would later drop malware payloads that included Atomic Stealer if the receiver did not ignore the update. This attack technique surfaced in mid-2023, with ClickFix clearly taking notes on what was successful about the previous campaign.

In the most recent malicious campaigns uncovered by GoDaddy's Security Team, threat actors will initiate these campaigns by logging into websites with stolen credentials and installing fake plugins in the now compromised environments.

Once installed, the plugins inject malicious JavaScript containing a known variation of fake browser update malware that uses blockchain and smart contracts to obtain malicious payloads. This has been referred to as Ether Hiding, where threat actors abuse services like Binance Smart Chain to deliver a malware payload once the smart contract is initiated and approved.

 When executed in the browser, JavaScript presents users with fake browser update notifications that guide them to install malware on their computer. Malware payloads are typically remote access trojans and various info stealers like Vidar Stealer and Lumma Stealer.

As for the both malicious and fake plugins, researchers noted,

Most of these malicious fake plugins have over five hundred detections on PublicWWW at the time of writing. Based on the analysis done by GoDaddy Security, we estimate over 6,000 unique domains worldwide have been impacted by this recent variant.

Using the Ether Hiding technique mentioned above, malicious scripts are pushed to site visitors if specific parameters are met. These compromised WordPress sites will then send site visitors a browser update request. When the recipient clicks the "Update" button, the malware payloads are downloaded and installed on the victim's machine.

These malware payloads have been seen to be hosted on GitHub and Bitbucket. The threat actors do not keep accounts and repositories open for long and will treat them as throw-away accounts, only to create more when they deem fit. Luckily for researchers, some older repositories were found online to assist in analysis.

Credential Compromise

Seeing that legitimate WordPress sites were compromised to push malware onto unsuspecting victims, the question of how threat actors compromised credentials to gain access to admin portals on websites to add malicious code arises. Researchers noted that brute-force attacks are certainly a possibility.

Another possibility is that website owners infected their machines with malware designed to harvest credentials. Researchers believe this to be likely as there is a lack of evidence pointing to alternative credential acquisition methods within the analyzed data, like brute forcing, as an example.

To this extent, GoDaddy's Security Team stated,

While the exploitation of admin credentials to install malicious plugins is not a prevalent discussion point in recent website security, it harkens back to a common infection vector used over 10+ years ago. In the past, attackers exploited malware that scanned for FTP credentials, which were often stored in plain text by FTP clients. These credentials were then exfiltrated to threat actors, who used them to gain unauthorized access and compromise websites.

And with regard to common misconceptions about info-stealing malware,

Based on GoDaddy Security research, ClearFake/ClickFix malware attempts to install various infostealers on compromised end user systems. When talking about infostealers, many people think about bank credentials, crypto wallets and other things of this nature, but many stealers can collect information and credentials from a much wider range of programs. For example, Vidar Stealer (which was reported to be pushed by ClearFake) is known to steal cPanel and WordPress credentials. Its dashboard has corresponding sections. Once the credentials are collected, threat actors are known to either sell them on the black market or use them themselves.

The rise of threat actors looking to deploy info stealers in recent months is a worrying trend. Some researchers argue that this is part of a greater shift towards identity attacks, which have proven to be incredibly lucrative for threat actors in recent history.

Further, info stealers have become a crucial cog in the cybercrime economy, with other groups like ransomware gangs increasing their reliability on info-stealing malware to gain access to crucial IT infrastructure that, when encrypted, can bring organizations to their knees.

Whether info stealers are as big of a problem as more traditional credential phishing attacks, the jury is still out. Both present users with the issue that there are now multiple ways to steal credentials, and users and company employees need to be educated accordingly.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

New Removal Guides
Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal

Top Removal Guides
Latest News
Blog