Security researchers have discovered over 2,000 WordPress sites —possibly more— infected with a keylogger that's being loaded on the WordPress backend login page and a cryptojacking script (in-browser cryptocurrency miner) on their frontends.

Researchers have tied these newly discovered infected sites to a similar operation that took place in early December 2017.

The attack is quite simple. Miscreants find unsecured WordPress sites —usually running older WordPress versions or older themes and plugins— and use exploits for those sites to inject malicious code into the CMS' source code.

The malicious code includes two parts. For the admin login page, the code loads a keylogger hosted on a third-party domain. For the site's frontend, crooks load the Coinhive in-browser miner and mine Monero using the CPUs of people visiting the site.

Crooks migrate to new domains

For the late-2017 campaign, crooks loaded their keylogger from the "cloudflare.solutions" domain. Those attacks affected nearly 5,500 WordPress sites but were stopped on December 8 when the registrar took down the miscreants' domain.

According to a new report released yesterday by Sucuri, the company who's been tracking this campaign since April 2017, crooks are now loading the keylogger from three new domains: cdjs.online, cdns.ws, and msdns.online.

Based on data obtained via PublicWWW, there are over 2,000 sites that are loading scripts from these three domains [1, 2, 3].

Sucuri fears that not all affected sites are being indexed in PublicWWW and that the number of victims could be even bigger.

WordPress website owners are advised to review their sites, update anything that needs updating, and review if suspicious scripts are being loaded on their login page.

Attackers active since April 2017

As mentioned before, this campaign has been going on since April 2017, and for most of 2017, miscreants were busy embedding banner ads on the hacked sites and loading Coinhive cryptojacking scripts disguised as fake jQuery and Google Analytics JavaScript files.

It was only in December when this group moved to the more devious practice of collecting admin credentials via a keylogger.