Analysts at Sucuri have been monitoring a malicious campaign that has its roots in the cloudflare.solutions domain for quite some time now. Of course, this domain has nothing to do with the real Cloudflare company, and malicious scripts are distributed from it that work like a keylogger and steal all the data that users enter into various forms. Also, scripts are sometimes uploaded to infected sites by a cryptocurrency miner.
First of all, attackers are interested in sites running WordPress, they are the main target of the group. Criminals compromise such resources in a variety of ways, and then hide their scripts, for example, in the functions.php file.
Even worse, experts note that malicious scripts are loaded both on the front end and on the back end of sites, that is, among other things, they are able to intercept logins and passwords that users enter during login to the admin. On the front end, scripts most often steal information from the comment form. Also, do not forget that many online stores operate on the basis of WordPress, that is, bank card numbers and other personal data of users are at risk.
According to PublicWWW , malicious scripts of an unknown group are currently present on 5496 resources (out of the 200,000 most popular sites according to Alexa). The script with keylogger functionality looks like this: That is, all stolen data is transferred to wss://cloudflare[.]solutions:8085/.