BabaYaga malware found updating and reinstalling WordPress sites, removing competing malware
Security researchers at Defiant (formerly known as WordFence) have a discovered a new malware variant dubbed “BabaYaga” that is targeting WordPress sites using some pretty clever self-defensive techniques, including removing competing malware and updating the victim’s site.
Although the malware strain isn't new, its recent activities have made this low-key player a considerable threat for WordPress site administrators.
The malware - which is believed to be created by Russian hackers - can be used to create SEO spam pages, promote those pages to search engines, generate search engine traffic to those pages and then redirect the traffic to affiliate programs, noted the researchers.
"[BabaYaga] is relatively well-written, and it demonstrates that the author has some understanding of software development challenges, like code deployment, performance and management," researchers said in the blog post. "It can also infect Joomla and Drupal sites, or even generic PHP sites, but it is most fully developed around Wordpress."
The modus operandi of the malware is divided into two modules - a spam content is injected into the compromised sites and a backdoor module that gives attackers a control over an infected site at any time.
However, some fascinating aspects of this malware are two functions that allow it to update/reinstall the compromised WordPress and remove competing malware. According to the Defiant team, the reason for these two functions is directly linked with the malware's ability to inject spam into infected sites.
Researchers noted that because of the primary functionality of BabaYaga executing alongside WordPress on page load, it requires the application to be working properly.
"If something breaks WordPress, then the malicious scripts don’t get executed when a page is visited, " they said.
Hence the reason that malware wants to keep the victim's site up to date so that it's always working without bugs. The same desire to keep a compromised site error-free is also the reason that BabaYaga scans for other malware and removes them.
Defiant has already performed an in-depth analysis and provided proof-of-concept (POC) for this latest version of the malware.
"BabaYaga is an emerging threat that is more sophisticated than most malware", researchers said. "It deeply infects a site, spreads to other sites, ensures that the infected site is in good working order and will even remove other malware. It even has the ability to update or reinstall WordPress."