GoDaddy Security researchers reveal they have uncovered a massive malware campaign called DollyWay. The cyberattack, which has been ongoing since 2016, has compromised more than 20,000 WordPress-based sites.
Experts say they have uncovered "evidence linking multiple malware campaigns to a single, long-running operation." A wealth of evidence points to these campaigns being the work of a "unique and sophisticated" cybercriminal group. All campaigns share "code patterns and monetization methods.".
Known vulnerabilities behind the cyberattack
To compromise the websites, the hackers used n-day vulnerabilities. These are vulnerabilities already known to security researchers, but for which patches have not yet been deployed or installed. These vulnerabilities have been discovered by cybercriminals in the code of various WordPress plugins and themes.
Note that it is not uncommon for faulty WordPress plugins to put thousands or millions of sites at risk. Last winter, a flaw in Really Simple Security, a security-focused WordPress plugin, left more than four million sites vulnerable. A few weeks earlier, more than 3,000 sites were in hackers' sights because of Popup Builder, a WordPress plugin that allows you to design customizable popups for smartphones. These extensions often serve as a gateway for hackers.
A Vast Network of Scams
Once hacked, the sites were used to trap Internet users. In most cases, the sites simply redirected visitors to online scams, such as fake dating sites, fraudulent gambling, or malicious crypto platforms. Hackers earn money based on the number of Internet users who are redirected to these sites.
The scammers behind DollyWay use two monetization networks, namely LosPollos, a controversial network that is often linked to questionable activities, and VexTrio, a malicious traffic broker. It is "one of the largest known cybercriminal affiliate networks", the researchers' report states.
As GoDaddy Security explains, some sites went so far as to spread formidable viruses, such as banking Trojans or ransomware, on visitors' devices.
A particularly tenacious virus
Very recalcitrant, the malware used The malware used in the DollyWay campaign is capable of reinfecting the site with each page load. In other words, the virus is designed to reinstall or reactivate itself as soon as a page on the site is visited.
The malware uses a sophisticated method to infect WordPress sites by spreading its malicious code to all active plugins and adding a copy of the WPCode plugin. This plugin allows you to modify WordPress functionality. To prevent administrators from spotting the plugin, hackers are not short of tricks. For example, they can hide the plugin from the list of all extensions installed on the site. Cautious hackers also remove any competing viruses that might try to compromise a site at the same time.
To avoid falling into the trap of a cybercriminal gang, all administrators are encouraged to carefully install all updates to their plugins as soon as they are available.
Source: GoDaddy Security
0 Comments