Tuesday 11th December 2018

New malware infects WordPress websites and redirects traffic to pages comprising affiliate links

The malware identifies and deletes competing malware to ensure the host installation remains functional and the administrator oblivious. It also includes file upload functionality and the ability to update itself.
Jason Smith
by on 11th June 2018

A new malware allegedly created by Russian programmers is generating spam content comprising affiliate links on infected WordPress installations, according to a report by WordPress security firm WordFence.

The malware has been dubbed Baba Yaga and creates thin or purposeless content on the host’s website solely for the purpose of attracting search engine traffic.

When the links on the spam pages are clicked and the user buys a product, the creator of the malware will receive a commission on the sale.

Interestingly, the malware also contains an anti-malware function that helps identify and remove competing malware.

This has been included in the malware to ensure the infected WordPress installation doesn’t break (the malware executes during page load and thus requires WordPress to be functional for it to operate).

Furthermore, if a WordPress website malfunctions as a consequence of a less elegant attack, it will likely spur the administrator into investigating the problem and thus increase the probability Baba Yaga will be detected.

According to WordFence, one of the industries targeted is “essay writing services.”  When a user lands on one of the pages, they go through a client-side redirect to another page comprising affiliate links.

To maximize its effectiveness, the malware is replicated across numerous WordPress files. This ensures that if one file is detected other files may remain and prolong the infection.

Moreover, the files all contain a “backdoor function” that facilitates reinfection as long as a single file from the malware is present.

Other features of the malware include:

  • The ability to infect multiple domains hosted from the same shared, top-level directory. This is particularly applicable to shared web hosts that allow webmasters to host multiple website from a single directory;
  • Infected installations will host a file upload tool that allows an attacker to upload files; and
  • What WordFence refers to as a “phone home” feature that allows the malware to update itself.

A more comprehensive and technical overview of the malware can be read here.