Security Center Security News v
Stealthy Malware Disguises Itself as a WordPress License Key

Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Share Post: Reddit Facebook
Stealthy Malware Disguises Itself as a WordPress License Key
Mohammad.Poorya Offline
Racing is my passion and makes me happy.
*****
Valued Member
Posts: 3,707
Threads: 867
Thanks Received: 8,690 in 3,408 posts
Thanks Given: 8,292
Joined: Jul 2018
Reputation: 361
ReporterGold MemberThe CrownMember Of The MonthThe Century
#1
01-31-2019 , 10:17 AM
Stealthy Malware Disguises Itself as a WordPress License Key

[Image: WordPress-5.0-Patch.jpg]


Quote:A spam injector hides in plain site within WordPress theme files.

UPDATE

A spam-injecting malware is targeting WordPress site owners by disguising itself as a legitimate license key for a WordPress design theme.
According to analysis from Sucuri, a customer opened a malware removal ticket reporting “some weird spam URLs injected onto their WordPress website.” After further investigation into the files on the website, analysts uncovered a hidden encoded spam injector malware in the “./wp-content/themes/toolbox/functions.php” WordPress theme, masquerading as a license key.
WordPress themes are essentially website templates, specifying the fonts, colors, image placement and other design elements for a site. They can also be customized with tailored elements. When a customer orders a theme, it comes with a license key, like any software would. This key is required for any future updates, features and security patches.

“A license key is a place where a webmaster might not expect to find an infection,” said Moe Obaid, security analyst at Sucuri, in a Wednesday post. “The attacker formatted the encoded injector to look like a theme’s license key in order to distract the eyes of a less-trained security analyst from suspecting this to be malicious code.”

Interestingly, in addition to targeting a normally non-suspicious file, the attacker didn’t apply that much encoding to obfuscate the code – meaning that it essentially hides in plain sight. Obaid said that it was a simple process to decode the malware, which is housed in base64-encoded text within the $token variable.

Diving more into the malicious code itself, Sucuri found that the malware displays spam links to most user agents (i.e., browsers and plug-ins that retrieve, render and facilitate end-user interaction with a site’s web content), with a few exceptions. User agents are browsers and different types of plug-ins that display a website’s content to a visitor.

Read full article:  SOURCE
Reply
tarekma7 Offline
Administrator
*******
Administrators
Posts: 19,392
Threads: 8,940
Thanks Received: 32,368 in 9,283 posts
Thanks Given: 4,308
Joined: Sep 2015
Reputation: 2,714
The EnforcerGold MemberRandomThe InfluentialThe CrownThe Researcher The WriterThe Organizer View All
#2
01-31-2019 , 07:12 PM
I edited your topic to add quotes and copy only part of the article
Reply
Bjyda Offline
zdorondzac
*****
Valued Member
Posts: 1,271
Threads: 303
Thanks Received: 2,115 in 979 posts
Thanks Given: 1,261
Joined: Jan 2018
Reputation: 55
The ClownThe GamerRandomReporterThe Century
#3
02-01-2019 , 12:03 PM
Thank you for your time
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  New BLISTER Malware Update Fuelling Stealthy Network Infiltration dhruv2193 0 432 09-05-2023 , 07:22 PM
Last Post: dhruv2193
  This stealthy malware delivers a 'silent threat' that wants to steal your passwords mrtrout 0 607 11-28-2021 , 03:18 AM
Last Post: mrtrout
  HELP! IOBit forum hacked? "Free 1 year license" malware link sent to hundreds. mrtrout 2 1,116 01-18-2021 , 08:47 AM
Last Post: ahmadkhaje
  Android malware disguises as ad blocker, but then pesters users with ads dhruv2193 0 1,593 11-16-2019 , 11:00 AM
Last Post: dhruv2193
  Infected WordPress Sites Are Attacking Other WordPress Sites Mohammad.Poorya 0 1,618 12-08-2018 , 06:00 PM
Last Post: Mohammad.Poorya

Forum Jump:


Users browsing this thread: 1 Guest(s)