“Mal.Metrica” Malware Rampantly Exploiting WordPress to Compromise Over 17,000 Sites

Bar Refael

May 5, 2024

A sophisticated malware campaign, dubbed “Mal.Metrica,” has been identified as exploiting vulnerabilities in WordPress, impacting over 17,000 websites in 2024. The malware utilizes a deceptive technique involving fake human verification prompts to redirect users to malicious domains, leading to scam engagements and data theft.

Incident Details

  • Malware Name: Mal.Metrica
  • Impact: 17,449 WordPress sites compromised as of 2024
  • Exploitation Technique: Utilizes fake CAPTCHA-like prompts to redirect users to harmful websites
  • Primary Targets: Websites using vulnerable WordPress themes and plugins, specifically the “Responsive” theme and other components like tagDiv Composer and WP Go Maps.

Mechanism of Attack

  • Initial Compromise: Attackers exploit known vulnerabilities in WordPress themes and plugins to inject malicious redirect code.
  • Deception Method: Users visiting compromised sites are presented with a fake “Verify that you are a human” pop-up, mimicking common CAPTCHA verifications.
  • Redirection: Clicking on the verification prompt redirects users to malicious sites such as rapid.tmediacontent[.]com.
  • End Goal: Distribution of malware, phishing attempts, fake software downloads, cryptocurrency scams, and extensive ad spam.

Indicators of Compromise (IoCs)

  • Malicious Domains:
    • rapid.tmediacontent[.]com
  • Compromised WordPress Themes/Plugins:
    • Responsive WordPress theme
    • tagDiv Composer
    • WP Go Maps

Potential Consequences

  • Information Theft: Phishing sites collect personal and financial information.
  • Malware Proliferation: Distribution of additional malware through fake software downloads.
  • Financial Fraud: Cryptocurrency scams and other financial deception tactics.
  • System Compromise: Further infiltration into networked systems leading to broader security breaches.

Mitigation and Remediation

  • Immediate Updates: Ensure all WordPress installations, including themes and plugins, are up to date with the latest security patches.
  • Web Application Firewall (WAF): Deploy a WAF to detect and block malicious traffic attempting to exploit web application vulnerabilities.
  • User Education: Train users to recognize and avoid suspicious links and prompts, emphasizing critical thinking before interacting with unexpected web elements.

Recommendations for Site Administrators

  • Regular Scanning: Conduct regular scans of WordPress sites for vulnerabilities and signs of compromise.
  • Backup and Recovery: Maintain up-to-date backups and establish a robust recovery plan to restore compromised websites.
  • Security Monitoring: Implement comprehensive security monitoring tools to detect anomalies and potential threats in real-time.

Stay Secure. Stay Informed.

OP Innovate Research Team.

Under Cyber Attack?

Fill out the form and we will contact you immediately.

Get OP Innovate CTI Alerts

Leave your email and get critical updates and alerts straight to your inbox