Vulnerabilities within WordPress can lead to compromise, and oftentimes known vulnerabilities are utilized to infect WordPress sites with more than one infection. It is common for out of date websites to be attacked by multiple threat actors or targeted by the same attacker using multiple different channels.
We recently came across a database injection that has two different pieces of malware accomplishing two unrelated goals. The first injection redirects users to a spammy sports website and the second injection boosts authority of a spammy casino website within search engines.
So far, roughly 270 sites have been impacted by the first injection, while 82 sites have been impacted by the second. Both pieces of malware can be found scattered throughout a WordPress database but they each accomplish different tasks.
Let’s look at the two injections.
The first injection can be found sprinkled throughout a WordPress database:
<meta http-equiv="Refresh" content="60; URL=hxxp://redirect4[.]xyz/">
Let’s review what this injection is doing.
The domain found on the first line is not the final destination of the attack, it simply performs the heavy lifting of the redirect. First, the browser is instructed to wait 60 seconds, then a redirect occurs to the domain hxxp://redirect4[.]xyz. Then, the unknowing user is redirected again and lands on the following spam domain after the first redirect completes:
hxxp://pontiarmada[.]com
The spam site hxxp://pontiarmada[.]com has injected iframes to disseminate malware to unknowing visitors.
The second injection can also be found sprinkled throughout the WordPress database:
<style type="text/css"> dofollow { display: none; } </style> <dofollow><a href="hxxp://nomortogelku[.]xyz/" rel="external" alt="nomortogelku" title="nomortogelku">nomortogelku[.]xyz</a> <a href="http://207[.]106[.]22[.]48/" rel="external" alt="Nomor Togel Hari Ini" title="Nomor Togel Hari Ini">Nomor Togel Hari Ini</a></dofollow>
Let’s discuss what this database injection is doing.
The domain hxxp://nomortogelku[.]xyz is a gambling casino site using a common method to boost its authority in search engines. The black hat SEO tactic this attacker used places an invisible link throughout the compromised website to increase its domain authority and appear more legitimate.
Both of these injections are found scattered throughout WordPress databases, oftentimes found in the posts table. Below is the site:
One characteristic both injections have in common is the domain extension used, .xyz. The .xyz domain extension is commonly used by attackers and the number of malicious domains using this extension increases everyday. Threat actors cycle through domains often — and domains with the .xyz extension tend to be cheap for the first year, which is a leading theory as to why this extension is widely used.
These two infections found on the same site provide an example of how threat actors can disseminate different types of malware through the same site, or how different attackers can take advantage of the same vulnerability to infect the same WordPress site.
WordPress sites are often taken advantage of by threat actors when a vulnerability is present or an admin user is compromised. Once an attacker gains access to a website they can easily disseminate malware, and oftentimes they use their leverage to distribute malware through multiple channels.
Many threat actors even monetize the same vulnerable website with different types of malware to take full advantage of their access. As a result, it is not uncommon to find a variety of malware on the same infected website.
Vulnerable WordPress plugins and themes are one of the leading causes of infection and reinfection. When these vulnerabilities are present, multiple different threat actors may take advantage and spread their malware to unpatched sites.
It can be common to see different infections on the same site from different attackers, especially when a website is impacted by a high-grade and common vulnerability, like a vulnerability on a popular plugin downloaded by thousands of users.
Taking advantage of a vulnerable WordPress site by injecting different types of malware is a common tactic used by attackers. Infections can harm a website’s credibility and disrupt high SEO rankings.
Keep your WordPress website safe by following these mitigation strategies:
And if you believe your site has been compromised or injected with malicious scripts, we can help! Reach out to our support team for assistance and we can get the malware cleaned up for you.
https://blog.sucuri.net/
Digital twins — virtual representations of actual systems — have become an important component in how engineers and analysts build, visualize and operate AI projects, network security and other complicated architectures that might have a number of components working (or malfunctioning as the case may be) in tandem. Today, a startup called Forward Networks — which has […]
AS RUSSIA’S INVASION of Ukraine drags on, navigation system monitors reported this week that they’ve detected a rise in GPS disruptions in Russian cities, ever since Ukraine began mounting long-range drone attacks. Elsewhere, a lawsuit against Meta alleges that a lack of adequate hate-speech moderation on Facebook led to violence that exacerbated Ethiopia’s civil war. […]
Microsoft says a vulnerability it discovered in a core macOS security feature, Gatekeeper, could have allowed attackers to compromise vulnerable Macs with malware. The flaw, tracked as CVE-2022-42821, was first uncovered by Microsoft principal security researcher Jonathan Bar Or, and dubbed the “Achilles” vulnerability. Bar Or said the bug could allow malware to skirt Gatekeeper’s protections […]
Leave a Reply