Threat Actors Weaponize WordPress Sites to Redirect Visitors to Malicious Domains

Security researchers identified a sophisticated malware campaign targeting WordPress websites, where threat actors embedded malicious code within core files to facilitate unauthorized redirects and search engine optimization (SEO) poisoning.

The infection was traced to the wp-settings.php file, a fundamental component of the WordPress framework, which had been altered to include two anomalous lines of PHP code.

These lines extracted the domain from the HTTP_HOST header, stripping any “www.” prefix for consistency, and leveraged PHP’s zip:// stream wrapper to dynamically include a payload from a concealed win.zip archive.

Specifically, the inclusion targeted a file within the archive named after the extracted hostname, enabling stealthy execution of obfuscated scripts without directly altering visible site assets.

Upon extraction, the win.zip file revealed a single PHP artifact packed with multi-layered obfuscation, including base64 encoding and variable substitutions, designed to evade static analysis and automated scanners.

Discovery of Embedded Malware in Core Files

The malware’s operational logic initiated with environment detection routines, assessing whether the connection utilized HTTPS via server variables like $_SERVER[‘HTTPS’] or forwarded protocol headers, ensuring seamless integration with secure contexts to avoid mixed-content errors during external resource fetches.

A notable feature was its dynamic command-and-control (C2) server selection mechanism, which parsed the requested URI to route communications to varied endpoints, enhancing resilience against domain takedowns.

This URI-based routing allowed attackers to tailor malicious behaviors such as content injection or redirects based on specific page paths, potentially segmenting campaigns for different SEO targets or user profiles.

Complementing this was an anti-bot evasion layer that inspected user-agent strings for indicators of crawlers like Googlebot or Bingbot, suppressing malicious outputs to prevent indexing of spam content and detection by site administrators or security tools mimicking bot behavior.

Further dissection revealed the malware’s capabilities in remote content fetching and server communication, employing cURL or file_get_contents to pull data from attacker-controlled domains via POST requests, likely exfiltrating site metadata or infection status.

A core tactic involved SEO poisoning through manipulation of verification files and robots.txt; the script intercepted requests for Google site verification endpoints, forging responses to enable attacker verification in Google Search Console.

It also dynamically altered or created robots.txt files, appending sitemap directives that pointed search engine crawlers to malicious, attacker-hosted sitemaps on the compromised domain, thereby channeling legitimate site authority to boost spam rankings.

Redirection logic formed the malware’s endgame, conditionally routing visitors based on requested paths: accesses to products.php triggered redirects to wditemqy[.]enturbioaj[.]xyz, detail.php to oqmetrix[.]icercanokt[.]xyz, and other paths to yzsurfar[.]icercanokt[.]xyz.

According to the Report, these domains served as C2 nodes for delivering spam or phishing content, exploiting the site’s traffic for illicit gains.

Mitigation Strategies

The ramifications of such infections extend beyond immediate redirects, encompassing severe SEO manipulation via 301 redirects and injected sitemaps, which erode site authority and invite blacklisting by search engines and security vendors, resulting in reputational harm and potential traffic loss.

Detection challenges arise from the malware’s ZIP-based inclusion, obfuscation layers, and bot-evasion tactics, often necessitating expert forensic analysis for remediation.

To counter these threats, administrators should prioritize updating WordPress core, themes, and plugins to patch known vulnerabilities, sourcing them exclusively from trusted repositories like WordPress.org.

Enforcing robust credential hygiene via complex passwords and multi-factor authentication (MFA) alongside deployment of web application firewalls (WAFs) like Sucuri, provides proactive defenses.

Regular malware scans using automated tools, coupled with routine backups, ensure rapid recovery and minimize downtime.

As threat actors refine their techniques, vigilant security practices remain essential to safeguarding WordPress ecosystems from such weaponized exploits.

Stay Updated on Daily Cybersecurity News. Follow us on Google News, LinkedIn, and X.