![]() ![]() This spam link template is set to display whenever the site is accessed.Ī snippet of the encoded spam link-template looks like this: The encoded file that is downloaded contains a template based on the infected site source code, but with links to pharmaceutical spam added. The domain serves up a blank web page, but in 2019 was serving what appears to be adult content, possibly with an affiliate marketing angle. While the C2 domain does have a Russian TLD, we have no indication this attack campaign is politically motivated or related to the Russian invasion of Ukraine. ![]() For example, the encoded file for ‘’ would be named 8c14bd67a49c34807b57202eb549e461, which is a hash of that domain. If a request with a cookie set to a certain base64-encoded value is sent to the site, the backdoor will download a spam link template from a command and control (C2) domain – in this case t-fish-karu – and save it to an encoded file with a name set to the MD5 hash of the infected site’s domain. The decoded version of the backdoor looks like this: The main backdoor is added to the very beginning of wp-config.php and looks like this: It generates spammy Google search results and includes resources customized to the infected site. The backdoor in question has been in use since at least 2015. We started seeing an overall increase in infected sites starting on March 11th: Of the 298 sites that have been newly infected by this backdoor starting 5 days ago on March 11, at least 281 are hosted with GoDaddy. These affected sites have a nearly identical backdoor prepended to the wp-config.php file. Today, March 15, 2022, The Wordfence Incident Response team alerted our Threat Intelligence team to an increase in infected websites hosted on GoDaddy’s Managed WordPress service, which includes MediaTemple, tsoHost, 123Reg, Domain Factory, Heart Internet, and Host Europe Managed WordPress sites. Increase In Malware Sightings on GoDaddy Managed Hosting ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |