Researchers have recently seen that more that 5,000 WordPress websites have been infected with a malware that was seen earlier this year.
The malware “Cloudeflare.solutions” first surfaced in April with cryptomining abilities however, a keylogger has been added to its arsenal.
The malware exploits the “functions.php” file which is used by the themes in WordPress. According to researchers “its homepage displayed the message ‘This Server is part of Cloudflare Distribution Network,’ but the new message claims ‘This server is part of an experimental science machine learning algorithms project.’”
Researchers have also identified two illegitimate CloudFlare domains. The two domains look real however, one of them doesn’t exist while the other delivers the payload. The keylogger’s main purpose is to steal the user’s login credentials. The main goal however, is to target e-commerce platforms in order to gain banking information. Users are advised to remove the “add_js_scripts” function along with the “add_action” clauses that mention “add_js_scripts.”