A new malware has been spotted that is affecting WordPress sites. Web security company Sucuri discovered this spam-injector malware last week.
It was observed that websites were flooded with spam URLs and after a detailed analysis, a theme file was found harboring this malware in the pretext of a license key.
“The attacker formatted the encoded injector to look like a theme’s license key in order to distract the eyes of a less-trained security analyst from suspecting this to be malicious code,” said Mohammed Obaid, a security analyst at Sucuri.
“Not only did the attacker add malware to an 'unsuspicious' file, but they also hardly used any encoding to ensure it was well hidden. The injected code contained a few layers of encoding to further obfuscate it from detection,” he explains further in an official blog.
WordPress themes generally contain templates with various design elements such as fonts, color palette, page layouts, and more. Hence, if the site owner buys a theme, it is bundled with a license key which is required to install updates or new features to that theme.
There’s much more to the malware
When the malware’s payload was deconstructed by Sucuri, it found that there were many hidden, malicious links present within the HTML source. Moreover, these links would vary for different sites but the domains remained the same.
On the other hand, the spam URLs in the malware excluded search engines such as Baidu, Yandex, MJ12, Ezooms among a list of 14 sites.