The campaign has been active since September 2022, and the recent surge in website infections was noted in January 2023.
Sucuri researchers have reported a backdoor that has successfully infected around 11,000 websites in recent months. Here are the details shared by Sucuri in its technical report.
It is a fact that, lately, several Google products have been exploited and abused to spread malware and other malicious components, including Google Ads, Google Home, and Google Drive.
In fact, a study revealed that Google Drive accounted for 50% of malicious Office document downloads in 2022.
Backdoor Redirecting Visitors to Hacked Sites
According to Sucuri’s research, the backdoor redirects users to sites that show fraudulent views of Google AdSense ads. The company’s SiteCheck remote scanner has detected more than 10,890 infected sites. The activity has further intensified recently, with 70 new malicious domains disguised as legitimate in 2023 and 2,600 infected sites discovered on the web.
All the infected websites detected by Sucuri were using WordPress CMS. These had an obfuscated PHP script injected into the legitimate files on the websites, such as index.php, wp-activate.php, wp-signup.php, and wp-cron.php, etc.
How Does the Attack Work?
In the past two months, Sucuri researchers have identified over 75 pseudo-short URL domains linked with redirected traffic. It must be noted that almost all of the malicious URLs appear to belong to the same URL-shortening service. Some even mimic the names of popular shortening services, such as Bitly.
The visitors are redirected to a range of low-quality websites developed on the Question2Answer CMS, and the discussion topics are mostly related to cryptocurrency or blockchain.
Researchers believe it could be intentional to advertise new cryptocurrencies in a pump-and-dump, ICO fraud. However, researchers are certain that the primary objective of this ad fraud is to inorganically increase traffic to sites that contain the AdSense ID so that Google ads can be displayed for revenue generation.
How does It Evade Detection?
Some of these malicious sites also inject obfuscated code into “wp-blog-header.php.” This code works as a backdoor to ensure the malware evades disinfection attempts. It performs this by loading itself into files that run as soon as the targeted server is restarted.
“Since the additional malware injection is lodged within the wp-blog-header.php file it will execute whenever the website is loaded and reinfect the website. This ensures that the environment remains infected until all traces of the malware are dealt with.”
The malware hides its presence by suspending redirections when a visitor logs in as an administrator or visits an infected site within 2 to 6 hours. The malicious code is hidden using Base64 encoding.
How URL Shorteners Abused in the Attack?
When the user enters any domain names in their browser, they are redirected to a real URL shortening service, e.g., Cuttly or Bitly, but these are not genuine public URL shorteners. Each domain has a few working URLs that redirect visitors to spammy Q&A sites featuring AdSense monetization.
In a blog post, Sucuri researcher Ben Martin stated that the “backdoors download additional shells and a Leaf PHP mailer script from a remote domain filestacklive and place them in files with random names in wp-includes, wp-admin, and wp-content directories.”
The campaign has been active since September 2022, and the recent surge in website infections was noted in January 2023.
“At this point, we haven’t noticed malicious behaviour on these landing pages. However, at any given time, site operators may arbitrarily add malware or start redirecting traffic to other third-party websites,” researchers noted.
RELATED NEWS
- Google Docs exploit to spread phishing links
- Google, Microsoft and Oracle generated most flaws
- Malware-infected Minecraft modpacks hit Play Store
- Ad-blocker extension injected ads in Google searches
- Fake Brave browser site drops malware from Google Ads