Malware on WordPress are now disguised as a theme’s license keys. Sucuri cyber security experts: We discovered a very well hidden encoded spam injector in an unsuspicious file
Someone is spreading spam on WordPress websites using licence keys. It has been discovered by Sucuri cyber security experts. According to the company’s blog, “a client opened a malware removal ticket reporting some weird spam URLs injected onto their WordPress website. After further investigation into the files in the website, we discovered a hidden encoded spam injector malware. The attacker formatted the encoded injector to look like a theme’s license key, in order to distract the eyes of a less-trained security analyst from suspecting this to be malicious code. Not only did the attacker add malware to an ‘unsuspicious’ file, but they also hardly used any encoding to ensure it was well hidden. The injected code contained a few layers of encoding to further obfuscate it from detection.” Cybercrime actors to disguise the malware used Base64, a group of similar binary-to-text encoding schemes that represent binary data.
The cybercrime TTPs against WordPress are constantly changing and evolving, to to have any hope of success. Focusing always on different components of the blogging platform
Sucuri experts noted that a license key is a place where a webmaster might not expect to find an infection. That’s why probably the cybercrime actors use it to disguise the malware and trick WordPress defences. The blogging platform is the biggest and most famous worldwide (at the end of 2016, it was used by 75 million websites). So, it’s one of the best target for who wants to make profits, exploiting a huge base. Indeed, it’s continuously attacked by different actors. Accordingly, it increase constantly its cyber security. This meant that opponent’s TTPs must change and evolve to have any hope of success. Focusing always on different components, as theme’s license keys.