Today’s post will have an in depth look at certain kinds of malware and how they are hosted on a victim’s WordPress (WP) site. That’s right, WordPress sites are often used by threat actors to host some of their malware that they can send to their victims.
Background
It makes sense for hackers to use a site they compromised, i.e. they don’t own, for their activity. That way, it cannot be traced back to them as easily.
Some malware variants deliver their payloads in stages. One example of this could be through a phishing email. The phishing email is sent in a targeted or non-targeted campaign against a large number of people. Inside of the crafted phishing mail, attackers may attempt to pretend to be a bank or other trusted source of data that a user may already be vested into. They can either embed a hyperlink into the mail asking a user to “update their information” or “change their password” or they can send an attached document.
The document isn’t necessarily malicious, but inside of it are small pieces of code that attempt to download a payload from the internet. These documents will often socially engineer a user to run this code. Office documents that behave like this may look like the below picture:
The document is trying to make the user run a macro so the code will execute, this is where wordpress comes in. The macro executes which sends the user to whatever website the attacker wants. The attacker will host their payload on a wordpress site that they compromised earlier and send the user there.
Compromised Sites
The websites that are compromised have been done purposefully for hosting a malware’s payload. They will hack the site first, possibly exploiting one of the vulnerabilities we’ve described before. On WordPress, a hacker will create a new link on the website where they can send the victims who click on their links. One example of one of these links could be like this:
hxxp://[redacted]/wp-admin/8m9wc1j8ttxslkx0po9q51kj_mctvz4tmu-79419847933/Note the above link creates a new page at /wp-admin/[random string]. This page is created with the random string so it is harder for admins to find and remove. Security solutions can look for this kind of activity and alert administrators to it before it can do too much damage.
Payloads
The link above is an example of a download link. It hosts and will download likely an executable file that will either need to be run by the user, or may run automatically if advanced enough. This is when the real infection occurs and now that malware will attempt to do the normal malware things: steal credentials, escalate privileges, exfiltrate data, spread to other systems, and the list goes on.
Conclusion
This quick post will hopefully bring to light just one of the many method a hacker can use to get malware onto a target using websites. There are tons of compromised WP sites out there and more are being discovered as part of a growing network of malware every day.
Happy hosting