Malware Operation ‘DollyWay’ Hacked 20,000+ WordPress Sites Globally

Image courtesy of Malware Operation ‘DollyWay’

DollyWay is a long-running malware campaign that has compromised over 20,000 WordPress sites globally. The operation primarily targets WordPress sites, using a sophisticated approach to maintain control and inject malware. The malware redirects visitors to scam pages via traffic broker networks.

The campaign is linked to VexTrio, a notable cybercriminal affiliate network that uses DNS techniques and domain generation algorithms. Initially, DollyWay included payloads such as ransomware and banking trojans, but it now focuses on redirects.

Researchers at GoDaddy identified the malware’s mechanisms, which include cryptographic verification of data transfers and automated reinfection processes. DollyWay updates WordPress and removes competing malware to retain control over infected sites, highlighting the need for continuous security monitoring to protect WordPress sites.

DollyWay’s Infrastructure

DollyWay v3 operates through a distributed network of command and control (C2) and traffic direction system (TDS) nodes. It uses compromised WordPress sites to inject redirect scripts through files like wp-content/counts.php. The malware updates its node list daily to ensure effectiveness, even if some nodes are taken down.

The injection pattern for the malware includes a unique hexadecimal string designed to evade detection. DollyWay also maintains persistence by disabling security plugins and reinstalling itself every time a page is loaded. Analysts noted that the reinfection process randomizes code to avoid detection, making removal challenging without taking the site offline.

DollyWay injects backdoors into infected sites, permitting arbitrary PHP code execution while verifying data integrity through cryptographic signatures. Such advanced techniques showcase the evolving nature of the campaign, which has adapted over nearly a decade to remain effective against evolving security practices.

Over 2,000 Hacked WordPress Websites Infected with Crypto-Draining Malware

Threat actors have compromised over 2,000 WordPress websites, transforming them into crypto-draining portals. Affected websites now promote rogue NFT deals, enticing unsuspecting visitors to connect their wallets. The attacks are fueled by compromised sites that push crypto-draining malware through platforms like YouTube and malvertising.

These attacks evolved from initial brute-forcing attempts to weaponizing visitors' web browsers, turning them into brute-forcing tools for probing admin passwords at other websites. The attackers revamped the compromised websites to include fake NFT discounts and enticing crypto offers, furthering their malicious agenda.

Once the malicious code is executed, it generates fake pop-ups that trick users into linking their crypto wallets. If the user falls for the scam, their accounts will be drained of funds and NFTs, which will be redirected to attacker-controlled wallets.

To protect against such threats, specialized software like Bitdefender Ultimate Security can shield users from phishing attempts and scam-ridden websites. Additionally, understanding crypto scams can significantly enhance users' ability to recognize and avoid these threats.

Cybersecurity Vulnerabilities and Exploits

The Cybersecurity and Infrastructure Security Agency (CISA) has warned about multiple vulnerabilities, including a critical vulnerability in SAP NetWeaver and Edimax IP cameras being exploited in attacks. Organizations are urged to address these vulnerabilities promptly to mitigate risks.

In addition, a new ransomware-as-a-service (RaaS) operation called 'Dragon' has emerged, showcasing advanced initial access and exploitation methods. CISA has released advisories for several vulnerabilities, including those affecting NAKIVO Backup and Replication solutions, which have been actively exploited.

With tax season approaching, scammers are intensifying their efforts to exploit unsuspecting taxpayers. Organizations must remain vigilant and implement security measures to counter these ongoing threats.

Hacked WordPress Sites Pushing Malware

Hackers are exploiting outdated versions of WordPress and plugins to distribute malware targeting both Windows and Mac users. This widespread campaign has affected over 10,000 websites. The hackers alter website content to display deceptive messages that prompt visitors to download malicious files masquerading as legitimate updates.

The malware types involved include Amos, which targets macOS users, and SocGholish, which targets Windows users. These infostealers are designed to capture sensitive data, including passwords and crypto wallets. Cybersecurity experts recommend only downloading software from trusted sources and keeping systems updated to mitigate risks.

The popularity of password-stealing malware has been highlighted by significant data breaches, emphasizing the need for continuous security vigilance. Organizations can benefit from services like GrackerAI, which transforms security news into strategic marketing content, enabling proactive communication about emerging threats and vulnerabilities.

For advanced solutions in cybersecurity monitoring and to stay informed about the latest threats, explore GrackerAI’s offerings at GrackerAI.

Latest Cybersecurity Trends & Breaking News

Colossal Ransomware Attack Affects Hundreds of U.S. Companies

PayPal Scam Alert: New Invoice Scheme Bypasses Email Security