​New malware built for SEO injection found targeting WordPress sites

• The malware uses an innovative approach to evade detection by web admins.
• The malware is found targeting two different sites used by English and Korean-speaking searchers for ‘free’ downloads.

A clever malware designed for SEO injection has been found targeting WordPress sites. The malware uses an innovative approach to evade detection by web admins.

Functionalities of the malware

Researchers from Sucuri discovered that the new malware is targeting two different sites that are used by both English and Korean-speaking searchers for ‘free’ downloads. The malware has two distinct functionalities. This includes adding hidden links for indexing by search engines and redirecting visitors to spam content.

“What’s clever about this particular piece of malware is how it stores the spam content on the site and how it operates to inject the content into the original response sent by WordPress,” said Pedro Peixoto, a researcher at Sucuri in a blog post.

Once the malware injects the malicious JavaScript code into the web page, it allows the hackers to improve the exposure of their attack campaign and redirect visitors to third-party sites that could either serve malware or steal personal data.

Researchers have discovered two specific samples in the wild and that the malware has been installed on 173 distinct sites.

“Hacked sites affected by this kind of black hat SEO campaign can get links from around a thousand sites overnight,” said Peixoto.

Mitigation

Site owners are required to follow a cleanup procedure in order to prevent such SEO spams. They will need to find and remove the malicious code from the theme’s function.php. In addition, they should check the Wordpress for the presence of tables with unknown prefixes such as backupdb_wp_, backupdb_wp_posts and backupdb_wp_lstat.