Stealthy PHP Malware Uses ZIP Archive to Redirect WordPress Visitors

Last month, a customer contacted us, concerned about persistent and inexplicable redirects on their WordPress website. Our investigation quickly unearthed a sophisticated piece of malware deeply embedded within their site’s core files. This wasn’t just a simple redirect; it was a complex operation designed for search engine poisoning and unauthorized content injection.

What Did We Find?

Our initial analysis led us to the wp-settings.php file, a critical WordPress core component. We discovered two highly suspicious lines of code that immediately stood out:

This code snippet is the initial entry point for the malicious payload.

The first line extracts the bare domain name from the HTTP_HOST header, removing “www.” if present. This is a common tactic to ensure the malware works consistently across different domain configurations.

The second line is the critical line. It attempts to include a file directly from inside a win.zip archive. The zip:// wrapper in PHP allows accessing files within a ZIP archive as if they were regular files. The # symbol, followed by $h (the extracted domain name), indicates that a file named after the domain within win.zip should be included. This is a very stealthy way to hide malicious code within an otherwise innocuous-looking ZIP file.

Upon further investigation, we found the win.zip file. When extracted, it contained a single PHP file with highly obfuscated code. This file is the core malicious script.

Attack Vector & IoCs

1. A zip://win.zip#<hostname> include in wp-settings.php.
2. Inside win.zip, a file (matched to the host) containing:
   
3. Visitor-specific redirect logic within the decoded payload.

Analysis of the Malware

The file extracted from win.zip is designed to be executed, and it immediately sets about decoding and running its true malicious content.

Initial Setup and Environment Detection

The malware begins by setting up its execution environment to ensure it runs without interruption and can detect the current protocol.

The malware checks if the current connection is secure (HTTPS) or not. This is important for fetching external resources correctly and avoiding mixed content warnings on the client side.

Dynamic Command & Control (C2) Server Selection

One of the clever aspects of this malware is its ability to dynamically select its Command and Control (C2) server based on the requested URL. This makes it more resilient to takedowns and harder to block entirely, as different parts of the site might communicate with different C2s.

What is a Command and Control (C2) server?

A Command and Control (C2) server is a system used by hackers to remotely control infected devices (like computers or websites). It sends commands to the malware and receives stolen data back.

This code allows the attacker to serve different malicious content or redirect users based on the specific page they are visiting, potentially targeting different SEO niches or user demographics.

Anti-Bot and Stealth Mechanism

To avoid detection by search engine crawlers and security scanners, the malware includes a sophisticated anti-bot mechanism.

When a bot like Googlebot, Bing, or Yahoo is detected, the malware typically disables its malicious output e.g., no redirects, no spam content. This prevents the compromised content from being indexed by search engines, helping the infection remain hidden from site owners who might check their site’s appearance in search results, and also from automated security scanners that often simulate bot behavior.

Remote Content Fetching and Communication

The malware attempts to fetch content from a given URL. The malicious code is designed to send data maybe to collect site information or status updates back to the C2 server using POST requests.

Website File Manipulation (SEO Poisoning Tactics)

A key goal of this malware is search engine poisoning, achieved by manipulating crucial SEO-related files on the compromised website.

The malware intercepts requests for Google site verification files and responds in a way that allows the attacker to verify the site in Google Search Console, effectively gaining control over its SEO settings.

It fetches content from contents.php on the C2 server. If the local robots.txt exists, it modifies it; if not, it starts with a default “Allow all” rule. Crucially, it then appends a sitemap directive pointing to an attacker-controlled sitemap URL. This directs search engines to crawl the attacker’s spam content hosted on your compromised site, boosting their illicit SEO efforts.

Dynamic Redirection and Content Serving

The ultimate goal of this malware, from the user’s perspective, is the dynamic delivery of content or redirects.

Redirects depending on requested path:

• products.php → wditemqy[.]enturbioaj[.]xyz
• detail.php → oqmetrix[.]icercanokt[.]xyz
• Others → yzsurfar[.]icercanokt[.]xyz

Malicious C2 Domains

• wditemqy[.]enturbioaj[.]xyz
• oqmetrix[.]icercanokt[.]xyz
• yzsurfar[.]icercanokt[.]xyz

Impact of the Malware

• The primary objective is to manipulate search engine rankings. By injecting spammy content, unauthorized sitemaps, and performing 301 redirects, the attackers aim to use the compromised website’s authority to boost their own malicious or spam sites in search results.
• A compromised website can be flagged as malicious by security vendors, web browsers, and search engines, leading to reputational damage.
• The use of ZIP archives for code inclusion, multi-layered obfuscation and anti-bot measures make this malware challenging for site owners to detect and clean without expert assistance.

Prevention Tips

1. Always Keep Software Updated: Ensure your WordPress core, themes, and all plugins are running their latest versions.
2. Source Themes and Plugins from Reputable Sources: Only download themes and plugins from the official WordPress.org directory or directly from established, trusted developers.
3. Implement Strong Credential Security: Use unique, complex, and long passwords for all your WordPress administrator accounts, database, FTP, and hosting control panel. Enable Two-Factor Authentication (2FA) for all user roles, especially administrators, to add an essential layer of security.
4. Utilize a Web Application Firewall (WAF): A robust WAF, such as those provided by security services like Sucuri, acts as a frontline defense.
5. Regularly Scan Your Website for Malware: Implement regular, automated malware scanning for your WordPress site.

Conclusion

This tricky malware shows attackers are getting smarter. But you can protect your website! Think of it like this: keep your software updated, use strong passwords, and scan for bad stuff regularly. Always have backups! Being smart about security keeps your website safe and trustworthy.