Massive flaws has been discovered in WordPress which delivers ransomware to the visitors. A spike in WordPress infections where hackers injected encrypted code at the end of all legitimate .js files. People having outdated version of Adobe Flash Player, Adobe Reader, Microsoft Silverlight, or Internet Explorer are more vulnerable while surfing infected WordPress website.
The malware tries to infect all accessible .js files which means all the domain name hosted in a hosting account might get infected.
Surprisingly,all the infected domain name is being pointed to 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199 network of Digital Ocean.
According to the Securi, some of the featurs of this malware are:
- 32 hex digit comments at the beginning and end of the malicious code. E.g. /*e8def60c62ec31519121bfdb43fa078f*/ This comment is unique on every infected site. Most likely an MD5 hash based on the domain name.
- The first comment is immediately followed by ;window[“\x64\x6f…. and a long array of string constants in their hexadecimal representation.
- It always ends with “.join(\”\”);”));“