More than 1000 WordPress -based sites have been infected with the third JavaScript code that introduces four separate rear parts.
“Create four back – Note Wednesday analysis.
The JavaScript malicious code has been found to be submitted via cdn.csyndication (.) Com. As writing, as much as 908 sites Hold the links to the domain in question.
Functions of the four back are explained below –
- Backdoor 1, which loads and sets a fake plugin called “Ultra SEO CPU”, which is then used to execute teams issued
- Backdoor 2 that introduces malicious JavaScript in wp-config.php
- Backdoor 3, which adds a controlled SSH to the File ~/.sssh/Authorized_Keys to ensure constant remote access to the machine
- Backdoor 4, which is designed to perform remote commands and gets another useful load GSOCKET (.) IO to probably open the reverse shell
To mitigate the risk that is the attacks, it is recommended to delete users of unauthorized SSH keys, turn the powers of the WordPress administrator and control system magazines for suspicious activity.
Development comes as a cybersecurity campaign minute Another malicious company has compromised more than 35,000 malicious JavaScript sites that “fully steals the user’s browser window” to redirect site visitors to Chinese gambling platforms.
“The attack appears to be focused on or comes from regions where mandarin is widespread, and the final target pages represent gambling under the” Kaiyun “brand.
Redirecting occur through JavaScript, located in five different domains that serve as a loader for the main useful load responsible for the performance –
- mlbetjs (.) Com
- Ptfafajs (.) With
- Zuizhongjs (.) Com
- JBWZZJS (.) With
- Jpbkte (.) With
The conclusions also follow from the new Group-IB report about the actor threatened Shouted Jungle This introduces the code with the JavaScript Bablosoft JS code into Magento sites to collect fingerprints. It is believed that more than 115 e -commerce sites will be affected today.
The entered script “is” part of Bablosoft Browserautomationstudio (BAS) Suite, “Singapore Company – NoteAdding it “contains several other features to collect information about the system and browser users who visit the site compromised.”
The attackers are said to exploit known vulnerabilities that affect vulnerable versions of Magento (eg Cve-2024-34102 AKA Cosmicsting and Cve-2024-20720) for websites. The actor who funded the motivated was first discovered in the wild at the end of May 2024.
“The fingers’ browser is a powerful technique that is commonly used on site tracking sites and individual marketing strategies,” Group-IB said. “However, this information is also operated by cyberclasses to imitate the legitimate behavior of the users, evading security measures and false actions.”
