Sucuri experts discovered that the attackers are using more than 70 dummy domains that imitate URL shorteners, and as a result, more than 10,800 WordPress sites were infected with advertising malware.
Let me remind you that we wrote that Vulnerability in WordPress Tatsu Builder Plugin Is under Attack, as well as that Researchers Found an Adware Malware Downloaded More Than 13 million Times on Google Play and the App Store.
And also, information security specialists talked about the fact that Chinese hackers use a new backdoor to spy on the country’s government from Southeast Asia.
The first details about this malicious campaign appeared back in November 2022, when the same Sucuri researchers noticed the compromise of 15,000 WordPress sites. It was then reported that the hackers were aiming to “increase the authority of their own sites” in search engines, in fact, doing black hat SEO. That is, with the help of hacked resources, hackers actively promoted their own “low-quality Q&A sites” using the same templates and clearly created by the same group.
It was noted that attackers modify on average more than 100 files on each affected resource, which looked quite unusual. So, among the “most infected” pages, analysts listed wp-signup.php, wp-cron.php, wp-links-opml.php, wp-settings.php, wp-comments-post.php, wp-mail.php, xmlrpc.php, wp-activate.php, wp-trackback.php and wp-blog-header.php.
Such extensive compromise allowed attackers to redirect numerous visitors of hacked resources to any sites of their choice. In fact, the ultimate goal of this campaign was to drive more traffic to hacker-controlled resources and improve their search engine rankings through fake clicks.
The backdoor introduced by the hackers simulated clicks, initiating a redirection of the victim to a PNG image hosted in the ois[.]is domain. The point is that instead of actually loading the images, visitors were redirected to a Google search results URL leading to one of the fake Q&A sites.
As the researchers now report, this campaign is still active and continues to expand. In 2023 alone, more than 2,600 hacked websites were discovered.
Now, malware operators have also begun to use Bing search results links (along with Google), as well as Twitter link shortening services (t[.]co).
In addition, hackers also use domains with fake URL shorteners that masquerade as popular and real-life URL shortening tools (Bitly, Cuttly or ShortURL). In fact, such sites direct visitors to the same Q&A resources where they allegedly discuss blockchain and cryptocurrencies.
It is worth saying that so far, the researchers have not identified anything malicious on these landing pages. But they warn that the operators of these sites can activate some kind of malware at any time or start redirecting traffic somewhere else.
In fact, the whole purpose of the campaign at the moment is to generate traffic to sites containing Google AdSense ads.
The company’s report notes that the malware is obfuscated using Base64 and tries to hide its presence from administrators of infected sites. For example, if a user logs in as an administrator, or if an administrator has visited an infected site within the last 2-6 hours, the redirects will stop working.
At the same time, Sucuri admits that they still have not been able to understand how the sites affected by this campaign were hacked, since no obvious bugs were found in the plugins.
