A spam-injecting malware is targeting WordPress site owners by disguising itself as a legitimate license key for a WordPress design theme.
According to analysis from Sucuri, a customer opened a malware removal ticket reporting “some weird spam URLs injected onto their WordPress website.” After further investigation into the files on the website, analysts uncovered a hidden encoded spam injector malware in the “./wp-content/themes/toolbox/functions.php” WordPress theme, masquerading as a license key.
WordPress themes are essentially website templates, specifying the fonts, colors, image placement and other design elements for a site. They can also be customized with tailored elements. When a customer orders a theme, it comes with a license key, like any software would. This key is required for any future updates, features and security patches.
“A license key is a place where a webmaster might not expect to find an infection,” said Moe Obaid, security analyst at Sucuri, in a
Wednesday post. “The attacker formatted the encoded injector to look like a theme’s license key in order to distract the eyes of a less-trained security analyst from suspecting this to be malicious code.”
Interestingly, in addition to targeting a normally non-suspicious file, the attacker didn’t apply that much encoding to obfuscate the code – meaning that it essentially hides in plain sight. Obaid said that it was a simple process to decode the malware, which is housed in base64-encoded text within the $token variable.
Diving more into the malicious code itself, Sucuri found that the malware displays spam links to most user agents (i.e., browsers and plug-ins that retrieve, render and facilitate end-user interaction with a site’s web content), with a few exceptions. User agents are browsers and different types of plug-ins that display a website’s content to a visitor.
