Mal.Metrica Malware Hijacks 17,000+ WordPress Sites

Infected websites mimic legitimate human verification prompts (CAPTCHAs) to trick users, who often request seemingly innocuous clicks, resembling past CAPTCHA challenges. 

Clicking initiates a malicious redirect, exposing users to scams or malware exploiting user familiarity with CAPTCHAs, bypassing suspicion, and increasing the click-through rate for fraudulent purposes.  

Attackers are using a novel technique to redirect users to malicious domains, and instead of injecting malicious code directly into the website, they create an image overlay that appears as a verification prompt. 

Document

Integrate ANY.RUN in Your Company for Effective Malware Analysis

Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:

  • Real-time Detection
  • Interactive Malware Analysis
  • Easy to Learn by New Security Team members
  • Get detailed reports with maximum data
  • Set Up Virtual Machine in Linux & all Windows OS Versions
  • Interact with Malware Safely

If you want to test all these features now with completely free access to the sandbox:

The image contains a link to the attacker’s domain (rapid.tmediacontent.com).

When a user clicks the image, they are redirected through a chain of redirects before ending up on the malicious website.

This makes it difficult to detect the attack because the malicious code is not part of the original website’s code. 

redirect chain in the browser developer tools
redirect chain in the browser developer tools

Mal.Metrica, a large malware campaign, injects malicious scripts into vulnerable WordPress plugins masquerading as legitimate CDN or web analytics services to avoid detection. 

The malware leverages Yandex.Metrica to track the performance of these injections.

Since 2023, Mal.Metrica has exploited vulnerabilities in tagDiv Composer, Popup Builder, WP Go Maps, and Beautiful Cookie Consent Banner, infecting over 17,449 websites in 2024 alone. 

Researchers at Sucuri recently identified the threat actors behind Mal.Metrica, highlighting the connection between unpatched vulnerabilities and widespread malware infections.

fake verification prompts
fake verification prompts

A high-severity vulnerability (CVSS 7.5) in the popular WordPress theme “Responsive” allowed attackers to inject malicious code into websites’ footer sections. The vulnerability was identified in March 2024 and has since been patched. 

Attackers exploited the flaw by inserting unauthorized links into the footer copyright area, potentially for malicious purposes.

On-Demand Webinar to Secure the Top 3 SME Attack Vectors: Watch for Free.

The latest version of the theme addresses this issue, as documented in the changelog.txt file. 

changelog.txt file
changelog.txt file

Clicking “Allow” on a fake CAPTCHA triggers a series of browser notification prompts disguised as legitimate security checks.

These deceptive prompts act as a gateway, initiating a chain of redirects that ultimately land users on malicious websites. 

Bogus Websites
Bogus Websites

The malicious websites employ various social engineering tactics to trick users into compromising their security and privacy.

Some common scams include malware downloads disguised as essential software updates, phishing attempts that lure users into surrendering personal information, and fraudulent investment opportunities involving cryptocurrency

Additionally, these scammy pop-ups can bombard users with further notifications, each notification functioning as a springboard to yet another bogus website designed to exploit unsuspecting victims.

Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide