How PHP’s Labyrinth Weaponized WordPress Themes for Profit
New findings from Prevailion’s Tailored Intelligence team indicate the rapid expansion of a series of supply chain attacks that transform installations of the popular WordPress content management system into hosts for a malicious advertising network. More than 20,000 web servers have been identified to be compromised in this campaign.
WordPress has grown to become the backbone of 60% of content management systems, comprising 34% of all websites on the internet. This widespread user base and the ease in which a website can be personalized without knowledge of coding has created a fertile ground for exploitation by threat actors that we have dubbed PHP’s Labyrinth.
As previously reported, a threat actor campaign has been vehicularizing WordPress’ customization tools by enticing victims with trojans disguised as free themes and plugins. Once these are installed, not only can threat actors compromise admin accounts, they can also prop up malavertising ads and use this vector to deliver exploit kits both would allow threat actors to compromise visitors of those websites.
Prevailion has been working closely with a US federal law enforcement agency to provide new evidence on the threat actor behind this sophisticated botnet, along with the discovery of previously unreported malicious activities, including:
- 30 active malicious platforms serving these malicious themes and plugins
- Newly discovered second-stage malware functions such as an anti-adblocker script and additional C2
- Distribution of the Fallout exploit kit and malvertising adware through the Propeller Ads network (which claims to have over 100 million desktop and mobile users per day)