A new wave of advanced cyberattacks has been detected targeting WordPress websites, leveraging highly sophisticated malware to reroute site visitors to malicious domains and inject unauthorized content.
The campaign, first identified when a concerned customer reported persistent, unexplained redirects, was found to exploit the very core of WordPress installations, notably the critical wp-settings.php file.
Malware Uses ZIP Archive
Technical investigations revealed the malware’s cunning vectors: two suspicious lines of PHP code embedded in core files.
The attack mines the HTTP_HOST header to obtain the root domain stripping “www.” to maximize compatibility before employing the lesser-known zip:// stream wrapper in PHP.
This wrapper loads and executes a payload hidden deep inside a seemingly benign win.zip archive.
Matching the zip’s extracted filename to the site’s domain, the attack launches a PHP script rife with obfuscated logic, successfully bypassing traditional detection methods.
Once executed, the malicious script immediately establishes its environment, detecting protocols such as HTTPS and setting the stage for dynamic operations.
A unique feature of this malware is its use of multiple, switchable Command and Control (C2) servers.
Based on the visited URL, the malware can designate different C2 endpoints, making takedowns difficult and blocking efforts less effective.
This strategy also enables attackers to selectively serve malicious content that aligns with specific user demographics or SEO niches, heightening the threat’s efficacy.
Remote Control Directives
Further analysis exposed the malware’s sophisticated anti-bot mechanism: it actively scans visitor headers to identify bots like Googlebot, Bing, and Yahoo.
When bots are detected, the malware suppresses its redirect and spam functions, ensuring injections remain hidden from search engines and most automated security scans.
This enables infected sites to avoid fines, blacklisting, or being flagged in search results, thereby prolonging the malware’s lifespan on compromised systems.
The attack’s reach extends to crucial SEO files. It can intercept requests for Google site verification files, allowing hostile actors to verify compromised domains within Google Search Console and seize control of their SEO settings.
By manipulating robots.txt, appending attacker-controlled sitemaps, and serving targeted payloads retrieved from remote C2 servers, attackers poison search engine results with spam content hosted on reputable domains.
At the core of the campaign is search engine poisoning. The malware rewrites essential SEO infrastructure, introducing unauthorized sitemaps and performing tailored 301 redirects.
Analysis linked specific paths like products.php and detail.php to a web of malicious domains, with others rerouting to additional attacker infrastructure.
Confirmed C2 domains include wditemqy.enturbioaj[.]xyz, oqmetrix.icercanokt[.]xyz, and yzsurfar.icercanokt[.]xyz.
These domains coordinate the injection of search engine spam, distribution of malicious content, and collection of stolen data through encrypted POST requests.
The use of multi-layered obfuscation, core file tampering, ZIP-wrapped payloads, and anti-bot logic marks a new zenith in web-based malware sophistication.
Victims face significant reputational, operational, and financial risk from compromised SEO to potential inclusion on malware blacklists.
Security professionals urge all WordPress site owners to update their software regularly, enforce strong access controls, and implement proactive malware scanning.
While the attackers’ tactics have grown more intricate, adherence to robust security protocols remains the front line of defense.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant updates
