6,000 Infected WordPress Sites Pushing Infostealer Malware

An ongoing malware campaign has compromised over 6,000 WordPress sites, installing malicious plugins that push infostealing malware. The campaign, known as ClearFake, began in 2023 and tricks users into installing malware through fake browser error messages.

As reported by BleepingComputer, the malware can steal sensitive data, targeting both Windows and macOS users. The malware deployed in these attacks includes infostealers like StealC and Rhadamanthys on Windows and AMOS Stealer on macOS.

In many cases, the malicious WordPress plugins used to spread the malware resemble legitimate ones like Wordfence Security, making them hard to detect. These plugins inject malicious JavaScript into the HTML of compromised sites, which loads additional scripts stored on Binance Smart Chain. GoDaddy security researchers have tracked these fake plugins and noted that attackers use stolen admin credentials to install them.

To mitigate the risk, WordPress administrators are urged to regularly audit their sites for unknown plugins and immediately reset admin credentials if any suspicious activity is detected.

A similar ongoing campaign named ClickFix has recently expanded, which now uses fake Google Meet pages to lure users into executing malicious PowerShell scripts. Victims receive phishing emails disguised as Google Meet invitations, and upon clicking the link, they are redirected to fraudulent pages resembling legitimate Google Meet conferences. These pages show fake technical errors, prompting users to copy and run a command that ultimately infects their system with infostealing malware.

In both cases, attackers are exploiting social engineering tactics alongside technical vulnerabilities. WordPress sites in particular face heightened risks due to plugin vulnerabilities that can allow attackers to gain admin access. To mitigate these threats, site administrators should ensure plugins are always up to date and regularly check for suspicious activity.