A sophisticated attack has been identified involving over 10,000 WordPress websites delivering cross-platform malware to unsuspecting users.
The attack exploits vulnerable WordPress websites to display fake Google Chrome update pages, tricking visitors into downloading malicious software.
Cross-Platform Malware Delivered via Client-Side Attacks
The malware targets both macOS and Windows users, deploying the AMOS (Atomic macOS Stealer) for macOS systems and SocGholish for Windows.
These are commercially available malware variants, often marketed on platforms like Telegram.
The attack represents a significant escalation in threat sophistication, leveraging client-side JavaScript to generate fake update prompts in the victim’s browser via an iframe.
The attackers utilized outdated WordPress software and plugins to conceal their activities from traditional threat detection tools.
Notably, this marks one of the first known instances where such malware has been deployed through client-side attacks.
Technical Insights Into the Attack
Through advanced detection mechanisms, a malicious JavaScript file hosted on a third-party domain was uncovered, initiating the investigation.
The obfuscated script, located at https://deski.fastcloudcdn[.]com, dynamically injects malicious iframes into compromised sites.
Further analysis uncovered 27 associated malicious domains, such as blacksaltys[.]com, objmapper[.]com, and rednosehorse[.]com.
The script executes several malicious actions, including halting all browser activity, stripping key attributes from HTML elements, and embedding a fake browser update prompt via dynamically created iframes.
Additionally, attackers deploy DNS-prefetch instructions to improve the loading speed of the malicious domains.
The macOS malware, AMOS, is delivered as a .dmg file via a dynamically generated download link.
A JavaScript snippet automates the process by embedding a download button that listens for a “message” event to trigger the download.
The malware file was analyzed and flagged by only a limited number of antivirus tools at the time of discovery, demonstrating the sophistication of its obfuscation techniques.
According to the C-Side report, the widespread nature of this campaign highlights critical vulnerabilities in web supply chains.
WordPress site administrators are advised to immediately update their core installations and plugins, removing outdated or unused components to minimize the attack surface.
Additionally, administrators should thoroughly review server logs from the past 90 days for indicators of compromise, including suspicious script injections or unauthorized file modifications.
For affected end-users, performing a comprehensive system cleanup is strongly recommended, especially if any downloads occurred from the compromised sites.
Employing advanced client-side security tools, such as c/side’s detection engine, can provide early warnings and block similar attacks in the future.
This attack underscores the importance of maintaining robust cybersecurity hygiene, including timely software updates and deploying tools to monitor and protect against client-side threats.
As the digital landscape evolves, proactive measures are essential to prevent such incidents from impacting businesses and individuals on a large scale.
