Sucuri pinpoints a long-lasting campaign that injects malicious scripts into compromised WordPress websites. It exploits a vulnerability in WordPress themes and plugins. Research shows that at least 6,000 WordPress websites are affected by the campaign in April.

Obfuscated JavaScript

Sucuri’s investigation unveiled that the unwanted redirects are related to a new wave of this campaign and send visitors through a series of website redirects to serve them unwanted ads. The investigation showed that these websites had been injected a malicious JavaScript within their files and the database, including legitimate core WordPress files such as:

• ./wp-includes/js/jquery/jquery.min.js
• ./wp-includes/js/jquery/jquery-migrate.min.js

The attackers automatically infect any .js files with jQuery in the names. It redirects the visitor to one of these domains:

• bluestringline[.]com
• browntouchmysky[.]com
• redstringline[.]com
• whitetouchmysky[.]com
• gregoryfavorite[.]space
• gregoryfavorite[.]top
• pushnow[.]net/

Sucuri said,

« It has been found that attackers are targeting multiple vulnerabilities in WordPress plugins and themes to compromise the website and inject their malicious scripts. We expect the hackers will continue registering new domains for this ongoing campaign as soon as existing ones become blacklisted.

If you believe that your website has been infected with malicious JavaScript or you have found unwanted redirects to spam or ads on your site, you can use SiteCheck to detect the malware. »