Recently, one of our analysts @kpetku came across a series of semi-randomised malware injections in multiple WordPress environments. Typical of spam redirect infections, the malware redirects visitors by calling malicious files hosted on third party infected websites.
Interestingly, the infection stores itself as encoded content in the database and is called through random functions littered throughout plugin files using a very common wordpress function “get_option”. In this post we will review this infection and its characteristics.
Symptoms of Infection
Our client first noticed that when accessing their website through Google search results their browser was caught in a redirect chain that eventually landed them at a bogus scam site. The redirect first lands the victim at
And subsequently redirects to
Finally landing them here:
Shortly after reproducing this redirect, the domain was taken offline after being blacklisted by Google:
They have since moved on to new questionable domains to host their scam:
These are all typical spammy/scam sites that us security analysts are quite accustomed to seeing. This by itself is not out of the ordinary for WordPress infections, but what was atypical about this case was how it was injected into the website.
Unauthorised Third Party Content Loading in Source
The first questionable thing that we noticed that seemed to be triggering the redirect were some files named…
Let’s investigate how this redirect code is being loaded in these pages!