Malicious admin users get added to vulnerable WordPress sites often. This can happen in a variety of different ways, and sometimes the malware that creates these malicious users can hide in plain sight. Review this blog piece to read more about a fake WordPress admin creator.
Magento is a popular eCommerce CMS platform used by business owners to sell a variety of items. Because the CMS accepts credit card information, it is often a popular platform for attackers to exploit vulnerabilities and inject code that steals credit card information. In most cases, the type of attackers that target eCommerce platforms with the end goal of stealing credit cards are quite sophisticated, and therefore their malware is too. In this piece of malware I recently found, the malware was carefully crafted to hide in an img tag to avoid detection.
Hiding in an img tag
An img tag is used for exactly what it sounds like – storing an image. But in this particular case, the malware was base64 encoded and hidden within an image tag as opposed to legitimate code to reference an image. The base64-encoded content is followed by an onerror function, which gets triggered if there’s an issue loading a file or image. Normally, if an image doesn’t load, the onerror function just tells the browser to show a broken image icon. But in this case, the onerror event is being hijacked to run JavaScript instead. To summarize:
The credit card stealer is hidden inside a base64-encoded string within an img tag to help it avoid detection
A onerror event is triggered when the image or file fails to load
Normally this causes a broken image icon to appear in the browser
In this case however, the onerror event is being abused to execute malicious JavaScript instead
This carefully crafted piece of malware shows new ways attackers are injecting malware into Magento websites to avoid detection and keep their malware hidden as long as possible.
Would you like to read more? Visit the article at the Sucuri Blog.
Malicious admin users get added to vulnerable WordPress sites often. This can happen in a variety of different ways, and sometimes the malware that creates these malicious users can hide in plain sight. Review this blog piece to read more about a fake WordPress admin creator.
Injecting malware via a fake WordPress plugin has been a common tactic of attackers for some time. This clever method is often used to bypass detection as attackers exploit the fact that plugins are not part of the core files of a WordPress site, making integrity checks more difficult. Attackers often hide the malicious plugin from the WordPress dashboard as well, which can make them harder to track down. Additionally, when creating fake malicious plugins, attackers give the plugin an innocent sounding name so the directory is easily overlooked.
Casino SEO Spam
Spam impacting SEO is quite common and comes in a variety of forms. There is some spam that targets site to promote casinos, pharmaceuticals, and more. This tactic is nothing new and has been going on for some time. What makes this particular sample of malware stick out is the innocent naming convention of the spam and the placement of the malware. The attackers that crafted this malware used the following techniques:
Created a fake plugin to hide within legitimate plugins in the wp-content/plugins folder
Named itself an innocent looking name to avoid detection, security-wordpress
Encoded sections of the code to make it more difficult to track
Used an innocent looking domain to contain multiple spam links
Attackers are coming up with new techniques daily to avoid detection as long as possible to keep their malware active. This particular piece of code is a prime example of the ever evolving landscape of malicious content, specifically SEO related spam.
Would you like to read more? Visit the article at the Sucuri Blog.
