The attack employs sophisticated client-side techniques to deliver two notorious malware strains: AMOS (Atomic macOS Stealer) and SocGholish.
The compromised WordPress sites display fake Google browser update pages through dynamically injected iframes, marking the first documented instance of these particular malware variants being distributed through client-side attacks.
"To our knowledge, it’s also the first time they’ve been delivered through a client-side attack. JavaScript loaded in the browser of the user generates the fake page in an iframe." a researcher at Cside wrote."The attackers use outdated WordPress versions and plugins to make detection more difficult for websites without a client-side monitoring tool in place."
The campaign specifically targets outdated WordPress installations and plugins to evade detection by conventional security tools.
The attack infrastructure relies on multiple malicious domains, with blackshelter[.]org and blacksaltys[.]com identified as primary command-and-control servers. The attackers employ heavily obfuscated JavaScript code hosted on fastcloudcdn[.]com to execute the malicious payload.
This code employs multiple layers of encoding and sophisticated techniques to bypass standard security measures, including the use of dynamic timestamps to prevent caching.
What makes this campaign particularly noteworthy is its cross-platform approach. While AMOS and SocGholish have historically been distributed by different threat actors, their combined deployment in this campaign suggests a possible convergence of attack methodologies or collaboration between threat groups. Both malware variants are commercially available through underground markets on Telegram.
The attack mechanism involves multiple stages, beginning with the injection of malicious JavaScript that halts ongoing browser processes and strips key HTML attributes before delivering the fake update page.
For MacOS users, the attack chain culminates in downloading a DMG file containing the AMOS malware, while Windows users are targeted with SocGholish.
Security experts recommend WordPress site administrators immediately update their core installations and plugins, remove unused plugins, and conduct thorough system audits. Reviewing logs from the past 90 days is crucial for potentially compromised sites to identify indicators of compromise.
Users who may have downloaded files from affected websites are advised to perform comprehensive system scans and cleanup procedures to prevent potential malware infection.