A well-known threat actor, identified as MUT-1244, has successfully stolen approximately 390,000 WordPress login credentials through a sophisticated, long-term marketing campaign involving the use of a Trojanized WordPress credential-checking tool, targeted at various other malicious actors.
Researchers at Datadog Safety Labs, who initially detected the attacks, reveal that SSH private keys and AWS access keys were also pilfered from the compromised systems of hundreds of other victims, comprising both benign entities such as red teamers, penetration testers, and security researchers, alongside malicious actors.
The victims were compromised through identical second-stage payloads distributed across dozens of malware-infected GitHub repositories, which delivered proof-of-concept (PoC) exploits targeting known security vulnerabilities.
While malicious actors exploited vulnerabilities by deploying phishing emails to execute malware, they also deceived security experts and threat analysts seeking exploit code for specific weaknesses by masquerading as legitimate repositories.
Risk actors have historically targeted researchers with the aim of stealing valuable insights or gaining access to the networks of cybersecurity organizations.
Due to their misleading names, several repositories are inadvertently included in reputable sources, such as Feedly Risk Intelligence or Vulnmon, as proof-of-concept demonstrations for these vulnerabilities, according to the researchers. This can enhance their perceived legitimacy and increase the likelihood that someone will execute them.
Payloads have been delivered via GitHub repositories, leveraging various tactics such as backdoored configuration files compiled from source, malicious PDF documents, Python droppers, and tainted NPM packages embedded in project dependencies.
According to Datadog Safety Labs, this marketing campaign coincides with a years-long supply-chain attack where the “hpc20235/yawp” GitHub challenge was compromised by malicious code in the “0xengine/xmlrpc” npm package, designed to steal sensitive information and mine Monero cryptocurrency.
The malware employed in these attacks comprised a cryptocurrency miner and a backdoor, allowing the threat actor, identified as MUT-1244, to collect and exfiltrate sensitive information, including non-public SSH keys, AWS credentials, and configuration settings, such as those found in the “~/.aws” directory.
The secondary payload, situated on a distinct server, enabled hackers to transmit pilfered information to file-sharing services such as Dropbox and file.io, following the discovery of preconfigured login credentials within the malware, providing swift entry to the compromised data.
.jpg)
The MUT-1244 malware had the potential to gain access to approximately 390,000 suspected WordPress login credentials. Researchers at Datadog Safety Labs confidently assert that before these credentials were compromised on Dropbox, they were likely in the possession of malicious actors, who may have obtained them through unauthorized means.
The actors who were initially compromised through the use of a yawpp device to verify the authenticity of their credentials. As MUT-1244 touted yawpp as a “credentials checker” for WordPress, it’s unsurprising that an attacker using stolen credentials – often acquired from illicit markets to expedite malicious activities – would leverage yawpp to verify their authenticity.
Attackers capitalised on naivety within the cybersecurity community, compromising dozens of machines held by both white-hat and black-hat hackers, as unwitting targets executed the malicious code, leading to the theft of sensitive information, including SSH keys, AWS access tokens, and command line history logs.
According to Datadog Safety Labs, numerous exploited vulnerabilities remain unpatched, while new ones continue to be compromised as part of an ongoing cyber campaign.
