“Mal.Metrica” Malware Rampantly Exploiting WordPress to Compromise Over 17,000 Sites

Bar Refael

May 5, 2024

A sophisticated malware campaign, dubbed “Mal.Metrica,” has been identified as exploiting vulnerabilities in WordPress, impacting over 17,000 websites in 2024. The malware utilizes a deceptive technique involving fake human verification prompts to redirect users to malicious domains, leading to scam engagements and data theft.

Incident Details

  • Malware Name: Mal.Metrica
  • Impact: 17,449 WordPress sites compromised as of 2024
  • Exploitation Technique: Utilizes fake CAPTCHA-like prompts to redirect users to harmful websites
  • Primary Targets: Websites using vulnerable WordPress themes and plugins, specifically the “Responsive” theme and other components like tagDiv Composer and WP Go Maps.

Mechanism of Attack

  • Initial Compromise: Attackers exploit known vulnerabilities in WordPress themes and plugins to inject malicious redirect code.
  • Deception Method: Users visiting compromised sites are presented with a fake “Verify that you are a human” pop-up, mimicking common CAPTCHA verifications.
  • Redirection: Clicking on the verification prompt redirects users to malicious sites such as rapid.tmediacontent[.]com.
  • End Goal: Distribution of malware, phishing attempts, fake software downloads, cryptocurrency scams, and extensive ad spam.

Indicators of Compromise (IoCs)

  • Malicious Domains:
    • rapid.tmediacontent[.]com
  • Compromised WordPress Themes/Plugins:
    • Responsive WordPress theme
    • tagDiv Composer
    • WP Go Maps

Potential Consequences

  • Information Theft: Phishing sites collect personal and financial information.
  • Malware Proliferation: Distribution of additional malware through fake software downloads.
  • Financial Fraud: Cryptocurrency scams and other financial deception tactics.
  • System Compromise: Further infiltration into networked systems leading to broader security breaches.

Mitigation and Remediation

  • Immediate Updates: Ensure all WordPress installations, including themes and plugins, are up to date with the latest security patches.
  • Web Application Firewall (WAF): Deploy a WAF to detect and block malicious traffic attempting to exploit web application vulnerabilities.
  • User Education: Train users to recognize and avoid suspicious links and prompts, emphasizing critical thinking before interacting with unexpected web elements.

Recommendations for Site Administrators

  • Regular Scanning: Conduct regular scans of WordPress sites for vulnerabilities and signs of compromise.
  • Backup and Recovery: Maintain up-to-date backups and establish a robust recovery plan to restore compromised websites.
  • Security Monitoring: Implement comprehensive security monitoring tools to detect anomalies and potential threats in real-time.

Stay Secure. Stay Informed.

OP Innovate Research Team.