A persistent malvertising attack targeting WordPress sites was discovered by Wordfence, a WordPress security provider. The exploit was first found in February 2017, and a team of experts investigated it before publishing a whitepaper in November 2019 to warn the WordPress community about the danger. The malvertising campaign, according to Wordfence, affects sites and is disseminated by hackers who distribute unauthorized WordPress themes and plugins.
The malvertising exploit, unlike other malware injections,does not directly assault a WordPress site. It is based on consumers searching the internet for nulled content. Nulled content refers to instances in which thieves remove copyright protections from software and allow you to download it without paying the developer's fee. Attackers were able to weaponize these WordPress files by altering the code. The infection might spread to other sites hosted in the same environment after it is installed on your site.
It's difficult to spot malicious code even for experienced security professionals. Attackers disguise the exploit by using seemingly normal file formats and naming conventions. Furthermore, sophisticated backend server infrastructure allows the attackers to remain active on your site even after a section of the infection has been removed.
A deployer script checks your site for any additional themes and adds a backdoor in every file whenever you activate the infected theme file. To prevent site administrators from detecting malware using a modification date, the method additionally rewrites the time stamp on the theme file with the original date.
Malvertising code is monetized in two ways by attackers. The crooks exploit search engine results to lure people to websites that hold the malware-infected files. Additional malware injections push dangerous advertisements onto users of the web page after your site has been successfully infected utilizing a compromised theme. The malvertising exploit subsequently allows crooks to profit from every compromised site's ad revenue.
WordPress is used by over 455 million self-hosted websites worldwide. This represents 20% of all self-hosted websites. A single faulty theme file can infect every site in the network since the virus spreads automatically through lateral propagation throughout the whole hosted environment. Attackers can exploit the backdoor to distribute any other malware into the hosted environment due to the harmful nature of the code.
The attack's scalability poses a severe threat to developers, administrators, and website owners. It has the ability to change backend server addresses on the fly, re-infect files that have been cleansed,and the hardcoded backdoor allows attackers to add and delete code at will. Fortunately,Wordfence's team of researchers has developed tools and procedures forrepairing affected websites.
To begin, you should never use any nulled content obtained unlawfully on your WordPress site. Investing in a premium theme or using a featured, free theme from a known developer is safer. You should also uninstall any plugins or themes that the original creators no longer support.
If you've ever used a nulled theme, Wordfence included a list of signs in the whitepaper linked above as an appendix. This will provide you a list of signatures linked to the malvertising effort that targeted WordPress sites. Your administrators can determine if your site is using infected theme files by looking for certain domains, user names, and download sites in your theme files and site logs.