On February 8th, 2018, we noticed a new wave of WordPress infections involving two malicious plugins: injectbody and injectscr. These plugins inject obfuscated scripts, creating unwanted pop-up/pop-unders. Whenever a visitor clicks anywhere on an infected web page, they are served questionable ads.
The malicious plugins possess a very similar file structure:
- injectbody.php: 2146 bytes (the plugin code)
- injectscr.php: 1319 bytes (the plugin code)
The functionality of these plugins are also very similar.