WordPress Malware Exploits Steam Community Profiles for Covert Control
A newly uncovered malware campaign is targeting WordPress websites, employing an innovative method to maintain control over compromised sites. Attackers are embedding command instructions within Steam Community profile comments, effectively transforming a popular gaming platform into a clandestine command-and-control (C2) channel.
Malware Deployment and Operation
The malware operates through a two-pronged approach:
1. Front-End Injection: Malicious JavaScript is injected into the front end of compromised WordPress sites, delivering harmful content to every visitor.
2. Server-Side Backdoor: A persistent backdoor is installed on the server, granting attackers remote access and the ability to modify WordPress plugin and theme files without detection.
This campaign was first identified by GoDaddy security researchers in July 2024 and has since affected approximately 1,900 WordPress sites. By leveraging Steam’s trusted platform, attackers can obscure their infrastructure, reducing the likelihood of detection and takedown.
Steganography and Concealment Techniques
A notable aspect of this malware is its use of steganography to hide malicious payloads. Attackers embed invisible Unicode characters within Steam profile comments, encoding harmful data in a way that appears benign. This method allows the malware to evade traditional text-based scanning tools, making detection significantly more challenging.
Mechanism of the Attack
The attack hinges on a PHP function embedded within the compromised WordPress installation. When a page on the infected site loads, the malware sends an HTTP request to a specific Steam Community profile using cURL, retrieves the comment text, and decodes the hidden payloads. For instance, profiles like `steamcommunity.com/profiles/76561199096946028` have been utilized. The extracted content is cached using WordPress transients with a five-minute expiration.
The decoded data is then used to inject a JavaScript URL into every front-end page via the `wp_enqueue_script` hook, under a deceptive handle name such as asahi-jquery-min-bundle, mimicking legitimate libraries. The external URL observed during analysis pointed to `hello-myworld[.]info`, which serves the final malicious JavaScript payload to site visitors.
Implications for Website Owners and Visitors
The reach of this campaign is extensive. Compromised websites unknowingly serve injected scripts to every visitor, exposing users to potential harm. For site owners, the backdoor allows attackers to rewrite site code even after partial cleanup attempts, leading to persistent security issues.
Recommendations for Mitigation
To protect against such sophisticated attacks, website administrators should:
– Regularly Update Software: Ensure that WordPress core, themes, and plugins are up to date to patch known vulnerabilities.
– Implement Security Plugins: Utilize reputable security plugins that can detect and block malicious activities.
– Monitor for Unauthorized Changes: Regularly check for unexpected modifications to files and configurations.
– Conduct Routine Security Audits: Perform comprehensive security assessments to identify and address potential weaknesses.
By adopting these proactive measures, website owners can enhance their defenses against evolving cyber threats.
