Nearly 5,500 WordPress sites are infected with a malicious script that logs keystrokes and sometimes loads an in-browser cryptocurrency miner.

The malicious script is being loaded from the "cloudflare.solutions" domain, which is not affiliated with Cloudflare in any way, and logs anything that users type inside form fields as soon as the user switches away from an input field.

The script is loaded on both a site's frontend and backend, meaning it can also log usernames and passwords when logging into a site's admin panel.

Keylogger on WordPress site

The script is also dangerous when left to run on the frontend. While on most WordPress sites the only place it could steal user data is from comment fields, some WordPress sites are configured to run as online stores. In these instances, attackers can log credit card data and personal user details.

Most of these incidents occurred because hackers compromised WordPress sites through various means and hid the malicious script inside functions.php, a standard file found in all WordPress themes.

Attacker(s) has been active since April

These attacks aren't new. Sucuri has tracked at least three different malicious scripts hosted on the cloudflare.solutions domain.

The first one took place in April, and attackers used the malicious JavaScript file to embed banner ads on hacked sites.

By November, the same group had changed tactics and was loading malicious scripts disguised as fake jQuery and Google Analytics JavaScript files that were actually a copy of the Coinhive in-browser cryptocurrency miner. By November 22, that campaign was spotted on 1,833 sites.

In this latest series of attacks, also detected by Sucuri, hackers have kept the cryptojacking script in place, but have also added the keylogger component.

Script active on nearly 5,500 WordPress sites

According to PublicWWW, this malicious script version is currently active on 5,496 sites, most ranked outside the Alexa Top 200,000.

The two malicious scripts that are known to load the keylogger are:

< script type='text/javascript' src='hxxp://cloudflare[.]solutions/ajax/libs/reconnecting-websocket/1.0.0/reconnecting-websocket.js' >< /script >

< script type='text/javascript' src='hxxp://cloudflare[.]solutions/ajax/libs/cors/cors.js' >< /script >

The stolen data is sent to a remote websocket at wss://cloudflare[.]solutions:8085/.

Sucuri experts provide the following mitigation advice for owners who spot scripts loaded on their sites from the cloudflare.solutions domain.

As we already mentioned, the malicious code resides in the function.php file of the WordPress theme. You should remove the add_js_scripts function and all the add_action clauses that mention add_js_scripts. Given the keylogger functionality of this malware, you should consider all WordPress passwords compromised so the next mandatory step of the cleanup is changing the passwords (actually it is highly recommended after any site hack). Don’t forget to check your site for other infections too.