Stealthy Malware Disguises Itself as a WordPress License Key

WordPress Bug in 5.0

A spam injector hides in plain site within WordPress theme files.


A spam-injecting malware is targeting WordPress site owners by disguising itself as a legitimate license key for a WordPress design theme.

According to analysis from Sucuri, a customer opened a malware removal ticket reporting “some weird spam URLs injected onto their WordPress website.” After further investigation into the files on the website, analysts uncovered a hidden encoded spam injector malware in the “./wp-content/themes/toolbox/functions.php” WordPress theme, masquerading as a license key.

“We had no access to their logs to determine the root cause, but it’s generally caused by compromised admin accounts or downloading and using themes/plugins from untrusted sources,” Moe Obaid, security analyst at Sucuri, told Threatpost.

WordPress themes are essentially website templates, specifying the fonts, colors, image placement and other design elements for a site. They can also be customized with tailored elements. When a customer orders a theme, it comes with a license key, like any software would. This key is required for any future updates, features and security patches.

“A license key is a place where a webmaster might not expect to find an infection,” said Obaid, in a Wednesday post. “The attacker formatted the encoded injector to look like a theme’s license key in order to distract the eyes of a less-trained security analyst from suspecting this to be malicious code.”

Interestingly, in addition to targeting a normally non-suspicious file, the attacker didn’t apply that much encoding to obfuscate the code – meaning that it essentially hides in plain sight. Obaid said that it was a simple process to decode the malware, which is housed in base64-encoded text within the $token variable.

Diving more into the malicious code itself, Sucuri found that the malware displays spam links to most user agents (i.e., browsers and plug-ins that retrieve, render and facilitate end-user interaction with a site’s web content), with a few exceptions. User agents are browsers and different types of plug-ins that display a website’s content to a visitor.

The malware checked to see what kind of user agent was visiting the infected site. If it was the Baidu or Yandex browser or web-based link-analyzing tools MJ12, Ezooms, Solomono, Roger, Linkpad, Semrush, Prodvigator the malware wouldn’t display the spam links.

“The reason behind this step is to avoid the client being notified [of the malware] by these tools,” Obaid explained.

In general, the spam links that the malware serves up are hard-coded. Obaid believes the hard-coded links may be different for different sites however, even as the offending spam domains remain mostly the same.

Malware obfuscation continues to be a creative hotspot for cybercriminals, with new techniques cropping up on a regular basis. For instance, last week researchers said they had detected 191,970 weaponized ads impacting around 1 million Mac users, which use a steganography technique to hide the Shlayer trojan ware inside the ads’ image files.

And last fall, a malware was seen employing a VBS script with rudimentary Base64 encoding to obfuscate the first layer. However, that VBS script then downloaded and executed a DAT file via PowerShell. Researchers found that the script used techniques like string-splitting through concatenation and variable assignment, as well as the use of tick marks and random letter capitalization to split up the words or common antivirus signatures.

“We are used to finding malicious and nasty code in several different places and trying to hide it in a license key file is certainly one technique — such places can be easily overlooked/unsuspected by the site owner/webmaster/developer or the security analyst or less experienced eyes,” Obaid told Threatpost. “The hacker wants their code to be undetected and left there on the site as long as possible of course.”
As such, everything needs to be checked and examined properly when dealing with a compromised site, he noted.

The technique for now seems to be a one-off.

“As far as I can tell, it’s not part of any campaigns,” Obaid said. “I found few similar cases previously for Magento, where the malware/credit-card swipers were placed in some third-party extensions’ license files in order to hide. So, techniques like there are individual cases.”

This post was updated at 3:55 p.m. ET on Jan. 30, 2019, to include additional comments from the malware researcher.

Suggested articles