Stealthy Malware Disguises Itself as a WordPress License Key

WordPress Bug in 5.0

A spam injector hides in plain site within WordPress theme files.

UPDATE

A spam-injecting malware is targeting WordPress site owners by disguising itself as a legitimate license key for a WordPress design theme.

According to analysis from Sucuri, a customer opened a malware removal ticket reporting “some weird spam URLs injected onto their WordPress website.” After further investigation into the files on the website, analysts uncovered a hidden encoded spam injector malware in the “./wp-content/themes/toolbox/functions.php” WordPress theme, masquerading as a license key.

“We had no access to their logs to determine the root cause, but it’s generally caused by compromised admin accounts or downloading and using themes/plugins from untrusted sources,” Moe Obaid, security analyst at Sucuri, told Threatpost.

WordPress themes are essentially website templates, specifying the fonts, colors, image placement and other design elements for a site. They can also be customized with tailored elements. When a customer orders a theme, it comes with a license key, like any software would. This key is required for any future updates, features and security patches.

“A license key is a place where a webmaster might not expect to find an infection,” said Obaid, in a Wednesday post. “The attacker formatted the encoded injector to look like a theme’s license key in order to distract the eyes of a less-trained security analyst from suspecting this to be malicious code.”

Interestingly, in addition to targeting a normally non-suspicious file, the attacker didn’t apply that much encoding to obfuscate the code – meaning that it essentially hides in plain sight. Obaid said that it was a simple process to decode the malware, which is housed in base64-encoded text within the $token variable.

Diving more into the malicious code itself, Sucuri found that the malware displays spam links to most user agents (i.e., browsers and plug-ins that retrieve, render and facilitate end-user interaction with a site’s web content), with a few exceptions. User agents are browsers and different types of plug-ins that display a website’s content to a visitor.

The malware checked to see what kind of user agent was visiting the infected site. If it was the Baidu or Yandex browser or web-based link-analyzing tools MJ12, Ezooms, Solomono, Roger, Linkpad, Semrush, Prodvigator the malware wouldn’t display the spam links.

“The reason behind this step is to avoid the client being notified [of the malware] by these tools,” Obaid explained.

In general, the spam links that the malware serves up are hard-coded. Obaid believes the hard-coded links may be different for different sites however, even as the offending spam domains remain mostly the same.

Malware obfuscation continues to be a creative hotspot for cybercriminals, with new techniques cropping up on a regular basis. For instance, last week researchers said they had detected 191,970 weaponized ads impacting around 1 million Mac users, which use a steganography technique to hide the Shlayer trojan ware inside the ads’ image files.

And last fall, a malware was seen employing a VBS script with rudimentary Base64 encoding to obfuscate the first layer. However, that VBS script then downloaded and executed a DAT file via PowerShell. Researchers found that the script used techniques like string-splitting through concatenation and variable assignment, as well as the use of tick marks and random letter capitalization to split up the words or common antivirus signatures.

“We are used to finding malicious and nasty code in several different places and trying to hide it in a license key file is certainly one technique — such places can be easily overlooked/unsuspected by the site owner/webmaster/developer or the security analyst or less experienced eyes,” Obaid told Threatpost. “The hacker wants their code to be undetected and left there on the site as long as possible of course.”
As such, everything needs to be checked and examined properly when dealing with a compromised site, he noted.

The technique for now seems to be a one-off.

“As far as I can tell, it’s not part of any campaigns,” Obaid said. “I found few similar cases previously for Magento, where the malware/credit-card swipers were placed in some third-party extensions’ license files in order to hide. So, techniques like there are individual cases.”

This post was updated at 3:55 p.m. ET on Jan. 30, 2019, to include additional comments from the malware researcher.

Suggested articles

Discussion

  • Web Guy X on

    So which plugins have vulnerable license key settings?
  • White Fir Design on

    There are not any vulnerable license key settings involved in this. What is being described here is malicious code in a theme's function file, which isn't novel or newsworthy by itself. How it got added might be (which seems to be what you are getting at), but despite the source for this story being a company that is supposed by protecting websites from being hacked, they didn't even try to determine how that happened. That seems like the real story here, since you can't do a good job of protecting websites if you don't know how they are being hacked. We frequently hear from people who were using such services that have failed protect their websites, so what seems like what Threatpost should be covering here is why this company isn't doing the work they should have, but they don't seem to be interested in providing critical coverage of the security industry (maybe because of who owns them), despite it being badly needed.
    • Tara Seals on

      As I said at the top of the story, the malicious code is masquerading as a license key. The license keys themselves are not vulnerable. The researchers (who, to answer your question, said it got there the same way any other code would get there: hacking the site) said, as I explained in the story, that the part of this that they thought was interesting was the fact that the spam injector is purporting to be a license key, allowing it to stay hidden. If you're saying that disguising this type of thing as a license key is typical and common, then I can take that back to Sucuri for further comment.
  • Freepost on

    White fir design, good point
  • Paul Herrick on

    Yeah, good point.
  • Paul M. on

    The funniest thing here is that the author of this post obviously had no idea what she's writing about. Maybe this website should find writers who actually know something about web security and WordPress, so that the article wouldn't sound comical.
    • Tara Seals on

      Feel free to let us know what it is that's wrong here. The story is about a spam-injecting malware that's interesting because it's pretending to be a license key -- not about WordPress per se.

Leave A Comment

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.