The security company Sucuri initiated an investigation after a customer’s WordPress site began serving suspicious third-party JavaScript. Their investigation revealed that attackers had introduced malicious code into the “functions.php” file of a theme. This code, disguised with references to Google Ads to avoid detection, functions as a remote loader. It sends an HTTP POST request to a domain, which then provides a dynamic payload. This payload contains two key components: a JavaScript file from “porsasystem[.]com” that performs site redirects and a JavaScript code that creates a hidden, one-by-one-pixel iframe. The iframe then injects code that mimics legitimate Cloudflare assets, specifically “cdn-cgi/challenge-platform/scripts/jsd/main.js,” a critical part of Cloudflare’s bot detection system. The domain “porsasystem[.]com” has been identified as part of the Kongtuke traffic distribution system (TDS), also known by several other names including 404 TDS.
According to a Mastodon post by “monitorsg,” the infection chain begins when a user visits a compromised site, leading to the execution of “porsasystem[.]com/6m9x.js,” which then calls “porsasystem[.]com/js.php,” ultimately redirecting the victim to ClickFix-style pages for malware distribution. These findings underscore the critical need for robust cybersecurity practices, particularly for WordPress sites. It is essential to keep all plugins, themes, and website software up to date, enforce strong passwords, and regularly scan for anomalies and unexpected administrator accounts that may have been created to maintain persistent access even after the primary malware is detected and removed.
The disclosure of this campaign coincides with new findings from Palo Alto Networks Unit 42 regarding a phishing kit called the IUAM ClickFix Generator. This tool enables attackers to create highly customizable landing pages that mimic browser verification challenges commonly used by CDNs and cloud security providers to block automated traffic. These pages leverage the ClickFix social engineering technique to infect users with malware. The tool’s ability to create a legitimate-looking, spoofed interface significantly increases the effectiveness of the lure, making it harder for victims to distinguish a malicious page from a genuine one. Security researcher Amer Elsad noted that this tool allows threat actors to craft a sophisticated and convincing trap.
Reference:
