Recently, one of our analysts @kpetku came across a series of semi-randomised malware injections in multiple WordPress environments. Typical of spam redirect infections, the malware redirects visitors by calling malicious files hosted on third party infected websites.
Interestingly, the infection stores itself as encoded content in the database and is called through random functions littered throughout plugin files using a very common wordpress function “get_option”. In this post we will review this infection and its characteristics.
Symptoms of Infection
Our client first noticed that when accessing their website through Google search results their browser was caught in a redirect chain that eventually landed them at a bogus scam site. The redirect first lands the victim at
karlliscanutma[.]gq
And subsequently redirects to
cancroid[.]buzz
Finally landing them here:
ffzbdi[.]eatoccurwriter[.]top
Shortly after reproducing this redirect, the domain was taken offline after being blacklisted by Google:
They have since moved on to new questionable domains to host their scam:
gqrsor[.]maintravelcrease[.]top
These are all typical spammy/scam sites that us security analysts are quite accustomed to seeing. This by itself is not out of the ordinary for WordPress infections, but what was atypical about this case was how it was injected into the website.
Unauthorised Third Party Content Loading in Source
The first questionable thing that we noticed that seemed to be triggering the redirect were some files named…
./wp-content/count.php
…loading through JavaScript tags from other infected websites:
Let’s investigate how this redirect code is being loaded in these pages!