What We Found

The malware was discovered in the wp-config.php file of infected WordPress installations. The malicious code is injected at the very beginning of the file, which is a crucial configuration file for WordPress. The specific code injected includes: These scripts attempt to load external JavaScript files from the domains cache.cloudswiftcdn.com and assets.scontentflow.com. Upon visiting these URLs, we found complex scripts that incorporate Yandex.Metrica and Matomo (formerly Piwik) Analytics, both of which are legitimate web analytics services. However, their usage in this context is malicious and unauthorized.

Understanding the Malicious Code

Here's a detailed breakdown of what the injected code does:
1. Loading External Scripts:

• The scripts load additional JavaScript from external sources. These scripts collect detailed user interaction data, including page views, clicks, and user sessions.

2. Yandex.Metrica Integration:

• Tracks user clicks, link interactions, and enables the WebVisor feature, which records user sessions.
• Sends tracking data to Yandex.Metrica servers.

3. Matomo Analytics Integration:

• Initializes Matomo to track page views and link clicks.
• Sets the tracker URL and site ID, then loads the Matomo script asynchronously.

Potential Impact on Your Website

1. WP Toolkit Warnings: WP Toolkit will show your site as broken due to the presence of this malicious code. While the website might appear to function normally, the unauthorized scripts can compromise security and user data.

2. Privacy Violations: The malware collects user data without consent, posing significant privacy risks.
3. Data Leakage: Sensitive user interaction data is sent to external servers, potentially exposing private information.
4. Performance Issues: Loading additional scripts can slow down your website, leading to a poor user experience.
5. Trust and Reputation: Detection of unauthorized tracking can damage the reputation and trustworthiness of your website.

Immediate Steps to Take

1. Remove the Malicious Code: Check your wp-config.php file for the injected scripts and remove them immediately.
2. Conduct a Security Scan: Use a comprehensive security plugin (like Wordfence or Sucuri) to scan your website for additional malware.
3. Update Credentials: Change all relevant passwords, including WordPress admin, database, and FTP credentials.
4. Implement Security Measures:

• Keep WordPress, themes, and plugins updated.
• Use strong, unique passwords.
• Enable two-factor authentication for admin accounts.
• Regularly back up your website and store backups securely.

Enhancing Your Website Security

To prevent future infections, consider the following security enhancements:

• Security Plugins: Install and configure security plugins to monitor and protect your site.
• Regular Updates: Keep your WordPress core, themes, and plugins up to date to avoid vulnerabilities.
• Strong Passwords: Use strong, unique passwords and change them regularly.
• Two-Factor Authentication: Enable two-factor authentication for an added layer of security.
• Regular Backups: Regularly back up your website and ensure backups are stored securely.

Conclusion

We take the security of your websites very seriously and are committed to providing the necessary support and resources to keep your data safe. If you suspect your website has been infected or if you need assistance with securing your site, please reach out to our support team immediately.