Of late, popular content management system (CMS) WordPress has been in the news for being targeted by hackers. Several websites built on WordPress are facing the brunt due to unpatched vulnerabilities and default configuration issues.
Below are some attacks which were perpetrated using compromised WordPress websites:
When de-obfuscated, the code looks like this:
The de-obfuscated code loads an iFrame tag which is responsible for redirecting the victim to a malicious website. The function ‘dpi’ after execution results in the below URL:
VirusTotal Report: 4/67
The iFrame loads the above URL and redirects users to it.
During analysis, the malicious domain was not serving any malicious content. But, we have reasons to believe that it will.
VirusTotal Report: 1/67
IP Address: 126.96.36.199
VirusTotal IP Information: Report
According to VirusTotal, some of the other domains listed on the above IP are:
Safety Measure for WordPress Users
The iFrame redirection technique for redirecting users to malicious domains is well-known and widely used by attackers. Given the heavy usage of WordPress websites across the world, they can be used by hackers to trigger a mass infection in today’s cyber space. We strongly recommend the implementation of the safety measures listed above.
Subject Matter Expert
– Threat Research & Response Team, Quick Heal