28 Dec, 2023
WordPress Hack with wp-crawler.php to Serve Geolocation Aware Ads
Massive WordPress hacking campaign using wp-crawler.php to redirect website visitors to geolocation-aware advertising websites.
Over the last few weeks we have been investigating numerous cases of the heavily exploited remote code execution (RCE) vulnerabilities in popular WordPress plugins. We found that in the majority of the attacks, hackers planted visitor dependent malware that would redirect web browser over and over again in order to, finally, serve pages with ads. In the most severe cases, the injected malware took full control over the entire site where all website pages including the WordPress dashboard redirected to third-party advertising pages.

Further analysis showed that the malware campaign had redirected visitors to geo-targeting advertising sites presenting them ads in the local language.
More information on why hackers are employing the geolocation-aware techniques in malware campaigns could be found here: Top 4 Reasons Why Hackers Plant Geolocation Malware on Websites

In this post, we provide a full analysis of the redirection path going through multiple servers. We added some comments to the original code to make it more readable and easy for understanding.
As stated above, the original infection starts from RCE (remote code execution) vulnerability by injecting/dumping the following shell/backdoor script in multiple places over the infected site. Sometimes this malware was found in website's root directory under the name temp-crawl.php or wp-crawl.php.
This code itself does nothing malicious. The actual malicious code used to infect other files has been sent in $_REQUEST['q'] request argument and executed via @include statement.

In some of the handled cases wp-crawl.php is used to infect multiple JavaScript and PHP files stored in the wp-content directory. Another version of infection injected malicious JavaScript code directly into *wp_posts* tables infecting every existing post.
The infection analisys
The initially injected JavaScript code loads content from hxxps://ads[.]voipnewswire[.]net/ad[.]js and appended to DOM "head" element.

The encoded version of the original infection:
The decoded version:
Following is a dump of the JavaScript code that is loaded from voipnewswire[.]net:
This code loads other two JavaScript files, one from hxxps://voipnewswire[.]innocraft[.]cloud/piwik[.]js and one from hxxps://glasssunshine[.]cf/glcf[.]js

We are going to analyze both of these files.

The code loaded from hxxps://voipnewswire[.]innocraft[.]cloud/piwik[.]js is a PIWIK (https://piwik.pro/) customers & visitors tracking system:
The second script is the content of /* lrtwqxbknvbkdjjef */ variable which upon execution is set to the following value:

Encoded content of lrtwqxbknvbkdjjef
Decoded content of lrtwqxbknvbkdjjef
As a result of this script, content of hxxps://glasssunshine[.]cf/glcf[.]js loaded and appended to DOM "head" element.
Following is a content of hxxps://glasssunshine[.]cf/glcf[.]js:

The encoded script version:
The decoded script version:
The decoded value of variable sunigl
Geo-targeting advertising
The final redirection to ad.html is based on cookies timeout period which means every visitor is redirected to the ad page every 8 hours. When all loaded JavaScript files are executed, the https://ad[.]suniglasses[.]com/ad[.]html page redirects visitors to advertising content in local language.
Conclusion
The initial source of infection came from RCE vulnerability found in a few popular plugins. Even though related vendors released patches before RCE vulnerabilities information made public, we still encounter websites with outdated plugins just opening the door to take full control over their sites.
Whether you manage a small or an online e-commerce business you should be aware that outdated software due to discovered security vulnerabilities can open access to your business sensitive data which may lead to a business and reputation damage.
We are always quick to respond to protect our customers from malware infection and other cyber threats.

Our experts are here to clean up any malware from your sites, resolve false-positives, remove your website from the Google, Yahoo, and any other search engine provider or security authority blacklist.
If you believe you need a help, or your website compromised by this or similar attack, feel free to contact us via Quttera's help-desk. Our cyber security experts will be glad to assist you to bring your business back online.