Re-directions are being commonly and wildly abused nowadays. Here at Quttera, we're dealing with them on a daily basis when cleaning ThreatSign! customers websites and servers. However, this particular one really got our attention since it cannot be seen with "unarmed eye" and it resides in one of the many plugins of the site.
The behavior of the redirection exploits the API being used by the site. The malware hooks the API being called, intercepts the parameter and replaces it with its own code for execution back to the original site.
Malware AnalysisWhen we debugged the site:
stepping inside the API to locate the function. The file below is nowhere to be found:
HTML variable will be the "storage" of the first redirection. When executed, it will be redirected again to another download site:
Checking common sources that could lead to re-directions such as htaccess, wp_redirects and etc... didn't give any results.
Detection and Malware DetailsAfter in-depth analysis and signature searching, we found out that it hides in one of the installed plugins on the site. Due to the huge number of plugins that the site was using, It took us a bit of a time to trace where it leads and VOILA! Behold of the code below. Remember the screenshots above? The code is a match!
There were also a handful of functions in this specific module, like:
- Check for ZEND Security Upgrade Version
- API Response Handling
- Redirection Settings
- Content Generator
If you suspect your website was compromised or would like us to remove the malware, please select from ThreatSign - website monitoring and malware clean-up plans. To run free remote scan of your websites: http://quttera.com/website-malware-scanner
For other questions, do not hesitate to contact Quttera's help-desk.