Source: c/side
A new report reveals that over 10,000 WordPress websites have been compromised to deliver malware targeting both macOS and Windows users.
The report, published by c/side, highlights a sophisticated attack campaign that uses fake Google browser update pages to distribute AMOS (Atomic macOS Stealer) and SocGholish malware. The attack is unique in that it leverages client-side vulnerabilities and outdated WordPress versions and plugins to evade detection.
“The attackers use outdated WordPress versions and plugins to make detection more difficult for websites without a client-side monitoring tool in place,” the report states.
The attack begins with visitors to compromised websites being shown a fake Google browser update page within an iframe. The page, which closely resembles the legitimate Chrome update page, prompts users to download and install a malicious update file. This file contains either AMOS or SocGholish, depending on the user’s operating system.
AMOS is a stealer malware that targets macOS users, while SocGholish is a banking trojan that primarily affects Windows users. The fact that both malware variants are being delivered through the same campaign suggests that the attackers are diversifying their targets and expanding their reach.
c/side’s analysis revealed that the attackers are using a network of 27 malicious domains to host the malware and redirect users. The primary domain, fastcloudcdn[.]com, hosts the obfuscated JavaScript payloads that generate the fake update pages.
The report also notes that this is the first time AMOS and SocGholish have been delivered through a client-side attack, making it more difficult for traditional security tools to detect.
Website owners, particularly those using WordPress, are strongly advised to update their installations and plugins to the latest versions. They should also review their website logs for any suspicious activity and consider implementing client-side security monitoring tools.
If you suspect that you may have downloaded malware from a compromised website, it is recommended that you perform a thorough system cleanup to mitigate potential infection.
Related Posts:
- SocGholish Malware: The Silent Threat Lurking in Fake Browser Updates
- SocGholish Campaign Targets Business Networks via Fake Browser Updates
- Atomic Stealer Malware Returns in New Disguises, Targets Mac Users’ Sensitive Data
- New Mac Stealer “AMOS” Poses as Loom Screen Recorder, Targets Crypto Wallets
- Fake Browser Updates Lead to Malicious BOINC Installations
