Denis Sinegubko’s research team has recently uncovered a concerning evolution in a JavaScript malware campaign targeting WordPress sites. Initially detected in August, this campaign has undergone significant transformations, notably shifting from client-side to server-side redirects and adopting DNS TXT records as Traffic Direction Systems (TDS). These changes reflect the malware’s adaptive nature and sophisticated tactics, posing serious risks to website security.
The campaign, which injects malicious JavaScript code into compromised WordPress sites, has exhibited a high level of sophistication in its obfuscation techniques and domain utilization. The attackers have leveraged dynamic DNS TXT records of various domains, including cloud-stats[.]com, host-stats[.]io, logsmetrics[.]com, and ads-promo[.]com, as part of their TDS strategy. This method allows them to dynamically generate redirect URLs, complicating detection and mitigation efforts.
Initially relying on client-side redirects, the malware campaign has evolved to employ server-side redirects since March 2024. This shift enhances the attackers’ ability to evade detection by traditional security measures, as no JavaScript injections are involved. Instead, the attackers utilize a PHP version of the injection method, embedding custom code snippets into compromised WordPress sites via the WPCode plugin.
The malicious PHP snippets injected through WPCode serve multiple purposes, including initiating server-side redirects and maintaining malware persistence. By hiding within legitimate plugins like WPCode, the malware conceals its presence from site owners and security scanners, complicating detection and removal processes.
Furthermore, the malware campaign employs evasive techniques such as proxies and a diverse range of user-agent strings to disguise its origin and evade detection. Bot requests originating from residential IPs across various countries, coupled with changing user-agent strings, add layers of complexity to identifying and mitigating the threat.
