Hackers Utilize WordPress Sites to Route Users to Harmful Online Destinations
A new and advanced malware campaign targeting WordPress websites has been uncovered by cybersecurity researchers. The malware, which primarily focuses on compromising the crucial `wp-settings.php` file, operates by embedding malicious PHP code that dynamically loads a hidden payload from within a `win.zip` archive using PHP's `zip://` stream wrapper.
This innovative approach allows the malware to execute files within the ZIP archive as if they were regular files, making it highly stealthy and tailored to the infected site's domain. The malware uses various obfuscation techniques and stealthy persistence methods to evade detection and maintain its presence within the site's core files.
The malware begins its attack by modifying the `wp-settings.php` file to include minimal yet powerful PHP code that initiates the malware payload. It then employs PHP's `zip://` wrapper to hide its payload within the `win.zip` archive, which contains a single heavily obfuscated PHP script. This script uses base64 encoding, multi-layered obfuscation, and variable substitutions to evade static analysis and automated detection.
To remain undetected, the malware includes logic to detect if the website is running over HTTPS, avoiding mixed-content errors and maintaining seamless integration within the site’s normal operations. It also dynamically selects from multiple Command and Control (C2) servers based on specific URL patterns accessed by visitors, enhancing its resilience against takedown efforts and enabling targeted content delivery based on visitor behavior patterns.
The malware's objectives include SEO poisoning, unauthorized redirects, and maintaining stealth and persistence. It aims to manipulate search engine rankings to promote malicious or fraudulent content by redirecting visitors stealthily, often pushing unwanted ads, phishing pages, or malicious downloads. Visitors to the infected WordPress sites are also redirected to attacker-controlled pages for further exploitation or monetization.
The malware's dynamic C2 server selection mechanism, which includes domains such as `wditemqy.enturbioaj.xyz` and `oqmetrix.icercanokt.xyz`, enhances its resilience against takedown efforts while enabling targeted content delivery based on visitor behavior patterns.
This malware campaign is part of a broader trend where sophisticated operators weaponize WordPress sites to conduct large-scale malvertising, data theft, or site hijacking, often delivered through supply chain attacks or compromised plugins and core files. The use of ZIP archive-based PHP inclusions is particularly notable due to its innovation in hiding payloads and ongoing evolution of evasion and persistence tactics.
In conclusion, this advanced ZIP archive-based WordPress malware leverages core file compromise, dynamic PHP zip:// payload inclusion, multi-layer obfuscation, HTTPS environment detection, visitor-specific redirect rules, and dynamic command and control server routing, all aimed at stealthy SEO poisoning, unauthorized redirects, and sustaining command channel resilience against takedown efforts.
- Security researchers have identified a new threat in the realm of data-and-cloud-computing, as the malware campaign targets WordPress websites, focusing on the manipulation of the file and the stealthy use of PHP's stream wrapper for payload delivery.
- Cybersecurity, in its continuous quest to secure technology, must be vigilant against this innovative ZIP archive-based malware, which employs advanced tactics such as dynamic C2 server selection, multi-layer obfuscation, and HTTPS environment detection to conduct malicious activities like SEO poisoning, unauthorized redirects, and maintaining persistence within infected sites.
