New XYZ Malware Campaign Targeting Thousands of WordPress Websites

MoeSec Security team recently found a significant malware infection while working on fixing and cleaning hacked WordPress websites, This malware campaign is affecting thousands of WordPress websites, compromising their security and granting attackers unauthorized access.

This article delves deep into the malware, explaining the malicious code’s behavior, its potential damage, and how MoeSec can help protect and secure your WordPress website against such attacks.

What is the iogamesl & wp3 Malware?

The malware is a sophisticated piece of malicious code injected into compromised WordPress sites. Its goal is to exploit the WordPress admin panel and create a rogue administrative user every time the homepage is visited, giving attackers full control over the website.

Malicious Code Breakdown

Here’s the malicious code that was discovered on compromised WordPress Websites:

The involved domains are iogamesl[.]xyz & wp3[.]xyz so far and we’re keeping an eye for any new variations or malicious domains.

It was recently registered:

Domain Name: IOGAMESL[.]XYZ
Creation Date: 2025-01-18T22:34:03.0Z

The injected JavaScript is loading a huge malicious code from the mentioned malicious domains and calling several remote JS files to perform a serial of malicious actions including:

1- Checking if the admin user is visiting the site AND that malicious user is NOT there, They will try to inject and create a new malicious admin user called “wpx_admin” and in some variants and cases it’s “wpx_admixxn”

2- If the first step is successful, It’s trying to install fake plugins to maintain their access to the compromised website and performs other malicious actions, Serves as a backdoor.

What Does the Code Do?

Fetches the User Creation Page:
The script fetches the /wp-admin/user-new.php endpoint, which is the page used to create new WordPress users.
Extracts the CSRF Token:
It parses the returned HTML to extract the CSRF token required to submit forms on WordPress admin pages. This token is a security measure to prevent unauthorized requests.
Creates a New Admin User:
Using the stolen CSRF token, the script sends a POST request to create a new administrator account (wpx_admin or wpx_admixxn) with a predefined password.
Install Fake Plugin: Downloading, Installing & activating a fake plugin on the website to maintain access.
Logs Activity:
It logs successful or failed attempts to create the user using an external logging mechanism by connecting to a PHP file on the malicious domain.

Impact on WordPress Websites

Attackers gain full administrative access to the website.
They can modify content, inject further malware, or exfiltrate sensitive data.
The site may be used for phishing, spam campaigns, or malicious redirects.

How to Remove This Malware

If your website is infected, follow these steps to remove the malware:

Step 1: Scan Your Website

Use the MoeSec.com Malware Scanner to determine if your website is infected or not.
You can also use our advanced Website Antivirus to thoroughly scan your website.

Step 2: Remove the Malicious Code

Manually search your files & database for wp3 or iogamesl and remove the malicious code from affected files.
Use MoeSec.com’s Malware Removal for a safer and faster cleanup.

Step 3: Review and Remove Rogue Users

Log in to your WordPress admin panel and navigate to the Users section.
Look for unauthorized users (e.g., wpx_admin or wpx_admixxn) and delete them.

Step 4: Update WordPress and Plugins

Ensure your WordPress core, themes, and plugins are up to date to patch vulnerabilities. Look for any fake plugins and remove it.

Step 5: Reset All Passwords

Reset admin and user passwords to prevent further access by attackers.

How MoeSec.com Simplifies Malware Removal

MoeSec.com provides an automated and efficient solution for malware removal:

Automated Scanning:
- MoeSec’s platform scans your website for malware, detecting obfuscated and hidden malicious code in files and databases.
One-Click Cleanup:
- The Website Antivirus Engine automatically Clean your website without manual intervention with options to request manual investigation or cleanup.
Malware & Backdoor Detection:
- MoeSec identifies and removes persistent backdoors, cronjobs, re-infectors, etc ensuring attackers cannot regain access.
Real-Time Monitoring:
- Continuous website monitoring prevents reinfection by detecting and blocking future threats.

How to Protect Your Website Against Future Attacks

MoeSec.com provides a comprehensive suite of tools to protect your website from malware infections. Here’s how:

1. Malware Scanner and Firewall

Malware Scanner: Automatically detects malicious code, unauthorized changes, and suspicious activity.
Web Application Firewall (WAF): Blocks malicious requests targeting WordPress admin pages, including /wp-admin/user-new.php.

2. Real-Time Threat Detection

Uses advanced behavioral analysis to identify suspicious activity, such as attempts to create rogue admin accounts.

3. Automatic Malware Removal

MoeSec.com’s automated tools can safely remove malware without affecting your site’s functionality.

4. Two-Factor Authentication (2FA)

Adds an extra layer of security to your admin login to prevent unauthorized access. You can protect your admin panel or restrict access to sensitive areas by using our website firewall.

5. Regular Backups

MoeSec’s automated backup system ensures you can quickly restore your site in case of an infection or Hosting issues or disaster. We offer 2GB of FREE Secure & Off-site secure backups with any website security plan!

6. 24/7 Security Support

MoeSec’s team of security experts provides round-the-clock assistance for malware removal and prevention.

This malware is a stark reminder of the evolving threats faced by WordPress website owners. With thousands websites already compromised, it’s critical to take action to secure your site.

Don’t wait until it’s too late—visit MoeSec.com today and safeguard your website against the next wave of attacks!