In the world of malware, there are tons of different malware strains that target different platforms and users. In the case of WordPress, there are lots of foes on the internet as WordPress is the most popular CMS solution for web admins. Recently, a malware named “BabaYaga” is getting into WordPress sites and performing some unorthodox tasks in the background.
This malware strand isn’t something new on the web, but it recently got updates that have transformed it into a formidable foe for WordPress site admins. It also uses some clever self-preservation techniques to achieve its illegal goal.
The group behind this malware – believed to be Russian-speaking hackers – are utilizing this malware for injecting sites with special keyboards for driving the SEO traffic into other hidden pages on compromised sites. These pages then redirect users to affiliate marketing links.
This malware consists of 2 modules – one that injects content inside the compromised sites and a backdoor module that allows unauthorized access for the hackers anytime in the site.
According to Defiant researchers, this malware strand is well-written and proves that the author comes up with a good understanding of software development challenges. In addition to WordPress sites, the malware is also able to inject itself into Drupal and Joomla sites, even normal PHP sites. However, it’s mainly WordPress centered.
The self-preservation method
Like any other malware, this one also tries to keep itself running on the site and enjoy the full resource of its host. Then, why not do some maintenance?
Despite being a malware, BabaYaga performs things that we didn’t see previously. First of all, it removes all the other malware from your site. Yes, it’s an effective anti-malware (?) for your WordPress site.
In addition, the malware also updates the WordPress. If your WordPress version is old, then updating to the latest is obviously good. Then, why this malware is doing so?
According to the Defiant team, these are the main reasons why the malware is able to inject spam into compromised sites. If the WordPress is buggy, the spam codes won’t be executed properly and proper execution of those arbitrary codes are necessary for stealing SEO traffic.
But that’s not all it wants. If the software is old, then bugs are bound to produce. By updating the software, there’s less chance of bugs. If there’re fewer bugs, then the admin doesn’t have to check his/her site for any issue. Thus, BabaYaga can go unnoticed for a really long time.
A parasite needs a living, healthy host to thrive and perform its own actions. That’s the reason behind BabaYoga’s anti-malware (?) activity.
How to stay secured
First of all, make sure that your site isn’t acting suspiciously. In this case, BabaYaga is redirecting users into other 3rd-party sites. Check out the WordPress as well whether it automatically updated itself. Use plugins like Sucuri for tighter security.