Ongoing "wp3[.]xyz" Campaign Activity

    Date: 01/24/2025

    Severity: High

    Summary

    This campaign uses scripts linked to the domain wp3[.]xyz, injected into compromised WordPress sites to steal sensitive data, such as admin login credentials. Our telemetry shows activity beginning as early as October 2024, with over 10,000 websites compromised and infections peaking in December 2024. We identified more than a dozen polymorphic JavaScript samples, altering minor elements like log statements to evade detection by changing their hash. The domain wp3[.]xyz, re-registered on October 3, 2024, is hosted on 192.142.10[.]6 (Ultrahost, Inc., NL), an IP associated with other malicious .xyz domains.

    Indicators of Compromise (IOC) List

    Domains\Urls :

    wp3.xyz/a.js

    wp3.xyz/a.js

    wp3.xyz/aok.js

    wp3.xyz/g7.js

    wp3.xyz/g7.js

    wp3.xyz/g8.js

    wp3.xyz/g8.js

    wp3.xyz/plugin.php

    wp3.xyz/tdw.js

    wp3.xyz/tdw.js

    wp3.xyz/tdwx.js

    IP Address :

    192.142.10.6

    Hash :

    019d52c689ccff70be8368e1aa277953818747e5b156002ff2e2174847eec6b3
    
    0787e48cfc94bceddd7eeeaa86851f85754eb832ae90a0e98af9c288c8b842aa
    
    4c13d452dd5d49671bd93ca32f2b4f85c78e39b6ab0ad1f38d98ed267f8fd896
    
    4e90c55877e907f8661bde60e88f91a3e3585cc681302b6e9b5befe5c9446cb5
    
    90dec6770153604ff7cf540f07e605be04d0db20286445bbc6663ace531637a7
    
    a089f0e9525fe2df4f6a6b722f958f4dcccb9b1afff138fcc20a39585c99daf9
    
    a2ce9b0f328753bc97c634a049623aa22b505c8444f9970b2e84c2e5c80078c3
    
    c71469841afdd4be5fd6ef5825242de88fb339f1b00e002a62c346a69a99a3c0
    
    e2b007d1590d0657a329a332f0186a92f8a64e23f0ad021b688578505c11330d
    
    f03c0670f568500be8ad9222830517bb88ffa539ded1a5f988cb2ff103ceb3bb
    
    f6ea414298f8f7343c7f27b0b0c3b448e3b4afc7afaf4c7773b42fc1f1fe63dc

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Domains\Urls :

    userdomainname like "wp3.xyz/a.js" or url like "wp3.xyz/a.js" or userdomainname like "wp3.xyz/aok.js" or url like "wp3.xyz/aok.js" or userdomainname like "wp3.xyz/g7.js" or url like "wp3.xyz/g7.js" or userdomainname like "wp3.xyz/g8.js" or url like "wp3.xyz/g8.js" or userdomainname like "wp3.xyz/plugin.php" or url like "p3.xyz/plugin.php" or userdomainname like "wp3.xyz/tdw.js" or url like "wp3.xyz/tdw.js" or userdomainname like "wp3.xyz/tdwx.js" or url like "wp3.xyz/tdwx.js" 

    IP Address : 

    dstipaddress IN ("192.142.10.6") or ipaddress IN ("192.142.10.6") or publicipaddress IN ("192.142.10.6") or srcipaddress IN ("192.142.10.6")

    Hash 1 :

    sha256hash IN ("019d52c689ccff70be8368e1aa277953818747e5b156002ff2e2174847eec6b3","0787e48cfc94bceddd7eeeaa86851f85754eb832ae90a0e98af9c288c8b842aa","4c13d452dd5d49671bd93ca32f2b4f85c78e39b6ab0ad1f38d98ed267f8fd896","4e90c55877e907f8661bde60e88f91a3e3585cc681302b6e9b5befe5c9446cb5","90dec6770153604ff7cf540f07e605be04d0db20286445bbc6663ace531637a7","a089f0e9525fe2df4f6a6b722f958f4dcccb9b1afff138fcc20a39585c99daf9","a2ce9b0f328753bc97c634a049623aa22b505c8444f9970b2e84c2e5c80078c3","c71469841afdd4be5fd6ef5825242de88fb339f1b00e002a62c346a69a99a3c0","e2b007d1590d0657a329a332f0186a92f8a64e23f0ad021b688578505c11330d","f03c0670f568500be8ad9222830517bb88ffa539ded1a5f988cb2ff103ceb3bb","f6ea414298f8f7343c7f27b0b0c3b448e3b4afc7afaf4c7773b42fc1f1fe63dc")

    Reference:

    https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-01-23-IOCs-for-wp3-xyz-activity.txt


    Tags

    Malware

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags