Cybersecurity Alert: Hackers Target WordPress Sites to Distribute Windows and Mac Malware

In recent weeks, a substantial hacking campaign has been targeting outdated WordPress installations and plugins, leading to widespread alterations in thousands of websites. Security researchers from the web security firm c/side have uncovered this ongoing threat, revealing attempts to deceive visitors into downloading malware.

Current State of the Hacking Campaign

According to Simon Wijckmans, the founder and CEO of c/side, this hacking campaign is still “very much live.” The primary objective of the attackers is to distribute malware designed to steal sensitive information from users on both Windows and Mac operating systems. Some of the compromised websites are among the most popular on the internet, further amplifying the potential impact of this attack.

Nature of the Attack

This hacking operation is described as a “spray and pay” attack. Himanshu Anand, a security researcher at c/side, explained that the campaign aims to compromise anyone visiting these websites, rather than targeting specific individuals or groups.

• Visitors are redirected to a fake Chrome browser update page.
• The page prompts users to download an update to view the website.
• Depending on the operating system, users may be tricked into downloading malicious files disguised as legitimate updates.

Wijckmans confirmed that c/side has contacted Automattic, the company behind WordPress, to report the hacking campaign and provided a list of malicious domains. An acknowledgment was received, but no further comments were made by Automattic prior to publication.

Extent of Compromise

c/side has identified over 10,000 compromised websites associated with this attack. By employing reverse DNS lookups, the team managed to detect malicious scripts on various domains. Although TechCrunch could not independently verify these findings, one hacked WordPress site was still displaying malicious content as of Tuesday.

Types of Malware Involved

The hackers are primarily using two types of malware:

• Amos (or Amos Atomic Stealer): Targets macOS users.
• SocGholish: Aims at Windows users.

In a report published in May 2023, cybersecurity firm SentinelOne classified Amos as an infostealer, designed to extract sensitive information such as usernames, passwords, and crypto wallet data. Furthermore, hackers have been observed selling access to Amos on platforms like Telegram.

Expert Insights on Amos Malware

Patrick Wardle, a recognized macOS security expert, characterized Amos as the most prolific stealer targeting macOS. The malware operates under a malware-as-a-service model, allowing developers to sell it to hackers for deployment.

Wardle emphasized that for successful installation of the malicious file identified by c/side, users must manually execute it, navigating various security hurdles set by Apple.

Prevention and Security Measures

While this hacking campaign may not be the most sophisticated, it serves as a crucial reminder for users to:

1. Regularly update their Chrome browsers using built-in software update features.
2. Only install trusted applications on their devices.

Password-stealing malware has been linked to numerous significant hacks and data breaches. For instance, in 2024, hackers exploited stolen credentials to breach corporate accounts hosted by the cloud computing giant Snowflake.

For further information on online security, consider visiting Australian Cyber Security Centre’s online security tips.