Vulnerabilities within WordPress can lead to compromise, and oftentimes known vulnerabilities are utilized to infect WordPress sites with more than one infection. It is common for out of date websites to be attacked by multiple threat actors or targeted by the same attacker using multiple different channels.
We recently came across a database injection that has two different pieces of malware accomplishing two unrelated goals. The first injection redirects users to a spammy sports website and the second injection boosts authority of a spammy casino website within search engines.
So far, roughly 270 sites have been impacted by the first injection, while 82 sites have been impacted by the second. Both pieces of malware can be found scattered throughout a WordPress database but they each accomplish different tasks.
Let’s look at the two injections.
The first injection can be found sprinkled throughout a WordPress database:
<meta http-equiv="Refresh" content="60; URL=hxxp://redirect4[.]xyz/">
Let’s review what this injection is doing.
The domain found on the first line is not the final destination of the attack, it simply performs the heavy lifting of the redirect. First, the browser is instructed to wait 60 seconds, then a redirect occurs to the domain hxxp://redirect4[.]xyz. Then, the unknowing user is redirected again and lands on the following spam domain after the first redirect completes:
hxxp://pontiarmada[.]com
The spam site hxxp://pontiarmada[.]com has injected iframes to disseminate malware to unknowing visitors.
The second injection can also be found sprinkled throughout the WordPress database:
<style type="text/css"> dofollow { display: none; } </style> <dofollow><a href="hxxp://nomortogelku[.]xyz/" rel="external" alt="nomortogelku" title="nomortogelku">nomortogelku[.]xyz</a> <a href="http://207[.]106[.]22[.]48/" rel="external" alt="Nomor Togel Hari Ini" title="Nomor Togel Hari Ini">Nomor Togel Hari Ini</a></dofollow>
Let’s discuss what this database injection is doing.
The domain hxxp://nomortogelku[.]xyz is a gambling casino site using a common method to boost its authority in search engines. The black hat SEO tactic this attacker used places an invisible link throughout the compromised website to increase its domain authority and appear more legitimate.
Both of these injections are found scattered throughout WordPress databases, oftentimes found in the posts table. Below is the site:
One characteristic both injections have in common is the domain extension used, .xyz. The .xyz domain extension is commonly used by attackers and the number of malicious domains using this extension increases everyday. Threat actors cycle through domains often — and domains with the .xyz extension tend to be cheap for the first year, which is a leading theory as to why this extension is widely used.
These two infections found on the same site provide an example of how threat actors can disseminate different types of malware through the same site, or how different attackers can take advantage of the same vulnerability to infect the same WordPress site.
WordPress sites are often taken advantage of by threat actors when a vulnerability is present or an admin user is compromised. Once an attacker gains access to a website they can easily disseminate malware, and oftentimes they use their leverage to distribute malware through multiple channels.
Many threat actors even monetize the same vulnerable website with different types of malware to take full advantage of their access. As a result, it is not uncommon to find a variety of malware on the same infected website.
Vulnerable WordPress plugins and themes are one of the leading causes of infection and reinfection. When these vulnerabilities are present, multiple different threat actors may take advantage and spread their malware to unpatched sites.
It can be common to see different infections on the same site from different attackers, especially when a website is impacted by a high-grade and common vulnerability, like a vulnerability on a popular plugin downloaded by thousands of users.
Taking advantage of a vulnerable WordPress site by injecting different types of malware is a common tactic used by attackers. Infections can harm a website’s credibility and disrupt high SEO rankings.
Keep your WordPress website safe by following these mitigation strategies:
And if you believe your site has been compromised or injected with malicious scripts, we can help! Reach out to our support team for assistance and we can get the malware cleaned up for you.
https://blog.sucuri.net/
The FBI accused two groups of North Korean government hackers of carrying out last year’s heist of $100 million in crypto stolen from a company that allows users to transfer cryptocurrency from one blockchain to another. On Monday, the FBI announced that the Lazarus Group and APT38 — two groups linked to the North Korean government by both cybersecurity […]
With a major United States intelligence authority set to expire at the end of the year, and a congressional showdown brewing over whether or not to renew it, new details of an internal audit show that US Federal Bureau of Investigation (FBI) personnel have repeatedly conducted unlawful searches of data collected under the imperiled surveillance authority. Agents […]
A New York-based spyware maker has agreed to notify the individuals whose phones were compromised by its mobile surveillance software, following a deal with the New York attorney general’s office announced Thursday. Under the agreement, Patrick Hinchy, whose 16 companies promoted apps like PhoneSpector and Highster, will also pay $410,000 in civil penalties for illegally […]
Leave a Reply