A sophisticated malware campaign, dubbed “Mal.Metrica,” has been identified as exploiting vulnerabilities in WordPress, impacting over 17,000 websites in 2024. The malware utilizes a deceptive technique involving fake human verification prompts to redirect users to malicious domains, leading to scam engagements and data theft.
Incident Details
- Malware Name: Mal.Metrica
- Impact: 17,449 WordPress sites compromised as of 2024
- Exploitation Technique: Utilizes fake CAPTCHA-like prompts to redirect users to harmful websites
- Primary Targets: Websites using vulnerable WordPress themes and plugins, specifically the “Responsive” theme and other components like tagDiv Composer and WP Go Maps.
Mechanism of Attack
- Initial Compromise: Attackers exploit known vulnerabilities in WordPress themes and plugins to inject malicious redirect code.
- Deception Method: Users visiting compromised sites are presented with a fake “Verify that you are a human” pop-up, mimicking common CAPTCHA verifications.
- Redirection: Clicking on the verification prompt redirects users to malicious sites such as rapid.tmediacontent[.]com.
- End Goal: Distribution of malware, phishing attempts, fake software downloads, cryptocurrency scams, and extensive ad spam.
Indicators of Compromise (IoCs)
- Malicious Domains:
- rapid.tmediacontent[.]com
- Compromised WordPress Themes/Plugins:
- Responsive WordPress theme
- tagDiv Composer
- WP Go Maps
Potential Consequences
- Information Theft: Phishing sites collect personal and financial information.
- Malware Proliferation: Distribution of additional malware through fake software downloads.
- Financial Fraud: Cryptocurrency scams and other financial deception tactics.
- System Compromise: Further infiltration into networked systems leading to broader security breaches.
Mitigation and Remediation
- Immediate Updates: Ensure all WordPress installations, including themes and plugins, are up to date with the latest security patches.
- Web Application Firewall (WAF): Deploy a WAF to detect and block malicious traffic attempting to exploit web application vulnerabilities.
- User Education: Train users to recognize and avoid suspicious links and prompts, emphasizing critical thinking before interacting with unexpected web elements.
Recommendations for Site Administrators
- Regular Scanning: Conduct regular scans of WordPress sites for vulnerabilities and signs of compromise.
- Backup and Recovery: Maintain up-to-date backups and establish a robust recovery plan to restore compromised websites.
- Security Monitoring: Implement comprehensive security monitoring tools to detect anomalies and potential threats in real-time.
