10,800 WordPress Sites Were Infected with a Backdoor

10800 WordPress sites were infected
Written by William Reddy

Sucuri experts discovered that the attackers are using more than 70 dummy domains that imitate URL shorteners, and as a result, more than 10,800 WordPress sites were infected with advertising malware.

Let me remind you that we wrote that Vulnerability in WordPress Tatsu Builder Plugin Is under Attack, as well as that Researchers Found an Adware Malware Downloaded More Than 13 million Times on Google Play and the App Store.

And also, information security specialists talked about the fact that Chinese hackers use a new backdoor to spy on the country’s government from Southeast Asia.

The first details about this malicious campaign appeared back in November 2022, when the same Sucuri researchers noticed the compromise of 15,000 WordPress sites. It was then reported that the hackers were aiming to “increase the authority of their own sites” in search engines, in fact, doing black hat SEO. That is, with the help of hacked resources, hackers actively promoted their own “low-quality Q&A sites” using the same templates and clearly created by the same group.

It was noted that attackers modify on average more than 100 files on each affected resource, which looked quite unusual. So, among the “most infected” pages, analysts listed wp-signup.php, wp-cron.php, wp-links-opml.php, wp-settings.php, wp-comments-post.php, wp-mail.php, xmlrpc.php, wp-activate.php, wp-trackback.php and wp-blog-header.php.

Such extensive compromise allowed attackers to redirect numerous visitors of hacked resources to any sites of their choice. In fact, the ultimate goal of this campaign was to drive more traffic to hacker-controlled resources and improve their search engine rankings through fake clicks.

The backdoor introduced by the hackers simulated clicks, initiating a redirection of the victim to a PNG image hosted in the ois[.]is domain. The point is that instead of actually loading the images, visitors were redirected to a Google search results URL leading to one of the fake Q&A sites.

10800 WordPress sites were infected

It looks like the attackers are just trying to convince Google that real people from different IP addresses using different browsers are clicking on search results. This method artificially sends signals to Google that these pages are supposedly performing well in the search.the experts wrote.

As the researchers now report, this campaign is still active and continues to expand. In 2023 alone, more than 2,600 hacked websites were discovered.

Now, malware operators have also begun to use Bing search results links (along with Google), as well as Twitter link shortening services (t[.]co).

In addition, hackers also use domains with fake URL shorteners that masquerade as popular and real-life URL shortening tools (Bitly, Cuttly or ShortURL). In fact, such sites direct visitors to the same Q&A resources where they allegedly discuss blockchain and cryptocurrencies.

10800 WordPress sites were infected

If you enter any of these domain names in a browser, you will be redirected to the real URL shortening service: Bitly, Cuttly, or ShortUrl.at, which makes it look like they are just alternative domains for well-known services. However, this is not the case – each of the domains has only a few working URLs that redirect visitors to spam sites of questions and answers with AdSense monetization.the experts explain.

It is worth saying that so far, the researchers have not identified anything malicious on these landing pages. But they warn that the operators of these sites can activate some kind of malware at any time or start redirecting traffic somewhere else.

In fact, the whole purpose of the campaign at the moment is to generate traffic to sites containing Google AdSense ads.

The company’s report notes that the malware is obfuscated using Base64 and tries to hide its presence from administrators of infected sites. For example, if a user logs in as an administrator, or if an administrator has visited an infected site within the last 2-6 hours, the redirects will stop working.

At the same time, Sucuri admits that they still have not been able to understand how the sites affected by this campaign were hacked, since no obvious bugs were found in the plugins.

About the author

William Reddy

I am from Ireland. My parents bought me a computer when I was 11, and several months after I have got a virus on this PC. I decided to enter the INSA Centre Val de Loire university after being graduated from the school. This French educational institution was offering a brand-new cybersecurity course. After getting the master's degree in cybersecurity, I've started working as a virus analyst in a little anti-malware vendor.

Leave a Comment