Researchers at the security company, Sucuri, has discovered the return of a malicious script that has so far infected thousands of websites running WordPress. The script infects WordPress sites with both a keylogger and the in-browser cryptocurrency mining script, Coin Hive.

The same infection was discovered in 2017 by Sucuri and it seems to have made a return with a few slight changes.

Denis Sinegubko, a Senior Malware Researcher at Sucuri, explained that the crypto mining Coin Hive script that is part of the malware is saved on a victim WordPress website as a fake jQuery script. Making it slightly difficult for one to pick up when just glancing at a folder.

"We’ve identified that the library jquery-3.2.1.min.js is similar to the encrypted CoinHive cryptomining library from the previous version, loaded from hxxp:// 3117488091/lib/jquery-3.2.1.min.js?v=3.2.11 (or hxxp://185 .209 .23 .219/lib/jquery-3.2.1.min.js?v=3.2.11, a more familiar representation of the IP address). This is not surprising since cdjs[.]online also exists on the server 185 .209 .23 .219. It’s interesting to note that this script extends the CoinHive library and adds an alternative configuration using the 185 .209 .23 .219 server (and now specifically cdjs[.]online) for LIB_URL and WEBSOCKET_SHARDS," said Sinegubko.

![Coin Hive WordPress Sucuri](/content/images/2018/01/sucuri-coinhive.png)
Coin Hive crypto mining script loaded by newly discovered WordPress malware. | Sucuri

What is concerning is that the keylogger script that is part of the same malware is able to record data entered on every form on an infected WordPress website. This is all done without an infected website's visitor being aware.

"Unfortunately for unsuspecting users and owners of the infected websites, the keylogger behaves the same way as in previous campaigns. The script sends data entered on every website form (including the login form) to the hackers via the WebSocket protocol," said Sinegubko.

How it works is that the hackers find WordPress sites that are not secure and are most likely running older versions of the CMS platform. They then use known exploits to inject their malware into the source code. Another possible method that they are using to inject their malware into WordPress websites is through old themes and plugins whose code has not been updated.

Sucuri recommend those that have been infected with the malware to follow this detailed guide on how to clean a WordPress site.

"To clean up a website that has been compromised with this infection, you’ll need to remove the malicious code from theme’s functions.php, scan wp_posts table for possible injections, change all WordPress passwords(!) and update all server software including third-party themes and plugins," concludes Sinegubko.