A sophisticated malware campaign has been identified, targeting WordPress websites by exploiting PHP variable functions and employing cookie-based obfuscation techniques. This method allows the malware to evade traditional security detection mechanisms effectively.
Evolution of Obfuscation Techniques
This attack signifies a notable advancement in obfuscation strategies. Threat actors fragment malicious code across multiple HTTP cookies, dynamically reconstructing executable functions during runtime. Such fragmentation conceals the malicious intent until all cookie components are assembled and executed, complicating static analysis and detection efforts.
Widespread Deployment
In September 2025 alone, this malware was detected over 30,000 times, indicating its extensive deployment and continued effectiveness against vulnerable websites.
Targeted Platforms and Attack Vector
The primary targets are PHP-based web applications, especially WordPress installations. Attackers inject backdoor scripts that accept commands through specially crafted cookies. Unlike traditional malware that embeds complete malicious payloads within files, this campaign distributes function names and encoded parameters across numbered cookie indices.
Conditional Execution for Evasion
Once deployed, the malware remains dormant until it receives specific cookie configurations. Attackers must send precisely structured requests containing all necessary components to activate the malware. This conditional execution serves dual purposes:
1. Evasion of Automated Security Scans: Automated scans may trigger the script without the proper cookies, allowing the malware to remain undetected.
2. Prevention of Unauthorized Access: Only attackers with the correct cookie configurations can activate the backdoor, preventing other malicious actors from exploiting it.
Detection and Analysis
Researchers at Wordfence identified multiple variants of this malware during routine incident response operations. These samples have been added to their threat intelligence database, which contains over 4.4 million unique malicious signatures. Initial detection was challenging due to the heavily obfuscated code, which conventional signature-based scanning struggled to flag.
Common Characteristics of Variants
Despite differences in implementation details, the malware variants share core characteristics:
– Dense Obfuscation: The code is heavily obfuscated to evade detection.
– Excessive Array Lookups: The malware uses numerous array lookups to complicate analysis.
– Deliberate Cookie Validation Checks: These checks act as authentication mechanisms for attackers, ensuring only those with the correct cookies can activate the malware.
Technical Implementation and Code Execution Chain
The malware operates through a multi-stage execution chain that leverages PHP’s variable function capability. In PHP, appending parentheses to any variable causes PHP to execute a function matching the variable’s string value.
Execution Process:
1. Cookie Validation: The script stores the `$_COOKIE` superglobal into a local variable and validates that exactly 11 cookies are present, with one containing the specific string “array11”.
2. Function Name Reconstruction: The malware concatenates cookie values to reconstruct function names. For example, it combines cookies containing “base64_” and “decode” to form the complete `base64_decode` function name.
3. Function Execution: The execution chain demonstrates sophisticated layering:
“`php
$locale[79] = $locale[79] . $locale[94];
$locale[23] = $locale[79]($locale[23]);
“`
This code reconstructs `base64_decode`, then decodes another cookie containing “Y3JlYXRlX2Z1bmN0aW9u” to produce “create_function”. The malware subsequently uses `create_function` with attacker-controlled parameters to generate arbitrary executable code.
4. String Replacement Techniques: Later variants employ string replacement techniques, transforming obfuscated strings like “basx649fxcofx” into “base64_decode” by replacing characters ‘x’, ‘f’, and ‘9’ with ‘e’, ‘d’, and ‘_’ respectively.
This multi-layered approach defeats pattern-matching detection while maintaining full remote code execution capabilities through serialized payloads delivered via cookie parameters.
Implications for Security
The use of PHP variable functions and cookie-based obfuscation in this malware campaign highlights the evolving tactics of cybercriminals. Traditional security measures may not be sufficient to detect such sophisticated attacks. Organizations, especially those using WordPress, should implement advanced security solutions and conduct regular security audits to identify and mitigate potential vulnerabilities.
Recommendations for Mitigation
1. Regular Updates: Ensure that all software, including WordPress and its plugins, are up to date to patch known vulnerabilities.
2. Advanced Security Solutions: Deploy security solutions that can detect and respond to obfuscated and multi-stage malware attacks.
3. Security Audits: Conduct regular security audits to identify and address potential vulnerabilities in web applications.
4. User Education: Educate users and administrators about the risks of malware and the importance of maintaining strong security practices.
Conclusion
The emergence of this malware campaign underscores the need for continuous vigilance and adaptation in cybersecurity practices. By understanding the techniques employed by attackers, organizations can better prepare and defend against such sophisticated threats.
