Fake Wp.org/jquery.js

There is a long-lasting malware campaign (dating back to at least 2016) that injects fake jQuery scripts:

<script type="text/javascript" src="hxxps://www.XX[X]wp[.]org/jquery.js"></script>

Where XX[X] are 2 or 3 random characters.

This Twitter thread mentions some of them:

Empty JS injection hxxp://9iwp[.]org/jquery.js” found on 1000+ WooCommerce sites. Registered Aug 5th. Expanding network before activation payload? https://t.co/ak0r7U9mTC

— Willem de Groot (@gwillem) August 31, 2018

We’ve compiled a longer list of the fake jQuery URLs employed by this campaign, along with numbers of websites PublicWWW currently finds them on:

• www.9iwp[.]org/jquery.js – 6473
• www.34wp[.]org/jquery.js – 2830
• www.3vwp[.]org/jquery.js – 2552
• www.7owp[.]org/jquery.js – 1248
• www.57wp[.]org/jquery.js – 168
• www.29wp[.]org/jquery.js – 115
• www.j3wp[.]org/jquery.js – 85
• www.i1wp[.]org/jquery.js – 51
• www.i7wp[.]org/jquery.js – 17
• www.x5wp[.]org/jquery.js – 12
• www.i2wp[.]org/jquery.js – 8
• www.35wp[.]org/jquery.js – 6
• www.75wp[.]org/jquery.js – 4
• www.10wp[.]org/jquery.js – 3
• www.I0wp[.]org/jquery.js – 3
• www.I3wp[.]org/jquery.js – 3
• www.61wp[.]org/jquery.js – 3