Spam Injector Disguised as License Key in WordPress Website

  • January 29, 2019
Spam Injector Disguised as a License Key in a WordPress Website

Here at Sucuri, we clean WordPress websites every day. There are various types of common malware, but when we stumble upon a different scenario, our research team likes to dig deeper and conduct a complete investigation.

A license key is a place where a webmaster might not expect to find an infection, however, in this particular case, this is where we found one.

A Spam Injector Resembling a License Key

A client opened a malware removal ticket reporting some weird spam URLs injected onto their WordPress website. After further investigation into the files in the website, we discovered a hidden encoded spam injector malware in the following theme file:

./wp-content/themes/toolbox/functions.php

The attacker formatted the encoded injector to look like a theme’s license key in order to distract the eyes of a less-trained security analyst from suspecting this to be malicious code.

Here is the malware that resembles a license key inside a WordPress theme:

Encoded Injection Resembing a Theme License Key
Encoded Injection Resembling a Theme License Key

Layers and Layers of Encoding

Not only did the attacker add malware to an “unsuspicious” file, but they also hardly used any encoding to ensure it was well hidden.

The injected code contained a few layers of encoding to further obfuscate it from detection.

Here we show how we began to uncover their secret by decoding the base64-encoded text within the $token variable:

base64-encoded text within the $token variable
Base64-encoded Text within the $token Variable

Base64 was used to disguise the malware. Wikipedia defines Base64 as a group of similar binary-to-text encoding schemes that represent binary data.

Malware Disguised as a WordPress Theme License Key

As shown by the above-decoded content, we can see that the attacker is still trying to disguise the malware as a type of licensing key for a theme.

This conditional if statement also checked for the user agents, showing the spam URLs to any and all other user agents/search engines except these:

  • Baidu
  • MJ12
  • Ezooms
  • Solomono
  • Roger
  • Linkpad
  • Semrush
  • Prodvigator
  • Survey
  • Alexi
  • Xenu
  • Ahrefs
  • Serpstat
  • Yandex

The if statement tried to hide it from some web-based link-analyzing tools as it may be cached by such tools. The reason behind this step is to avoid the client being notified by these tools:

If Statement Checking for User-agent
If Statement Checking for User-agent

Decoded Malware

As we dig deeper, the final decoded payload populates with hidden links as it would appear within the HTML source:

Decoded Payload with Hidden Links
Decoded Payload with Hidden Links

The links are hard-coded inside this malware, but on different sites, they may be different. However, the domains of the spammy sites remain mostly the same.

Conclusion

Here we showed a case of hidden malware in a WordPress theme file.

Let us know if you see or suspect any weird behavior on your website and we will be happy to investigate and clean it for you.

Moe O is Sucuri’s Website Security Analyst. Moe's main responsibilities include remediation. His professional experience covers 10 years of remediation. When Moe isn’t fighting or researching malware, you might find him traveling. Connect with him on our Twitter.

Related Tags
Related Categories
You May Also Like