Security researchers at Sucuri recently discovered a massive WordPress redirecting campaign targeting a two-year old vulnerability issue in tagDiv themes and a new vulnerability in Ultimate Member plugins.

The tagDiv theme vulnerability was patched back in 2017, while the Ultimate Member plugin was patched as soon as the issue was discovered. However, several attacks have been made before the patches were done.

Hackers targeting WordPress sites with the tagDiv theme and Ultimate Member plugin upload a fake image with an added PHP code. They will then use this image to inject malicious codes into the files.

The Malware

When your website is infected, you will be redirected to http://murieh[.]space or https://unverf[.]com with a fake reCAPTCHA image. The fake addresses will ask users to verify and subscribe to browser notifications without disclosing the purpose of this behaviour. The malware involves a script from one of two sites: cdn.eeduelements[.]com and cdn.allyouwant[.]online. The former site was used in the initial stages of the redirecting campaign, while the latter was introduced a week later.

Sucuri researchers found a loophole in the attackers, saying that the malware scripts were poorly coded. They found out that the hackers did not remove the previous code they injected when they reinfected the website with the new version of the malware, thus you’ll find both scripts on infected websites.
Researchers also mentioned that successful infections are limited to files belonging to one server account. If an account has multiple websites, all the sites will be infected even if the other websites do not have the Ultimate Member plugin.

According to Chris Olson, CEO at Media Trust, the redirect campaign targeting the vulnerability in tagDiv themes and Ultimate Member plugin highlights the need for website owners to perform regular updates to safeguard their sites.

Often when owners launch their websites, they mainly focus on the web content and tend to forget that updating the codes and plugins is just as important as updating the content of the website.

What to do when your website is infected?

Here are a few steps you can do to prevent further damage:

1. Update all themes and plugins – not just the Ultimate Member. This is an important step especially if you are using an older version of the Ultimate Member plugin or one of tagDiv’s themes.
2. Check your tagDiv theme and locate the malicious script on the theme’s admin interface area. You can find this in the “Custom HTML” widget. Another method is to work directly with the WordPress database, but be careful as this step can be risky.
3. If you’re using the Ultimate Member plugin, remove the malicious script in the header and jquery files.
4. Make sure to clean all websites that share the same server account, even those that do not have the affected themes and plugins.
5. Always be on the lookout for malicious content within your website, especially in the codes.