Technical Analysis
The malware injects an HTML anchor tag into the page that links to an external site for SEO spamming purposes. It uses JavaScript to insert a CSS rule that hides the malicious content by setting the visibility of the div to be far off-screen (negative pixels), thus making it invisible to regular users while still being indexed by search engines.
VirusTotal Analysis: 🛡️ Zero-Day / Fully Undetected.
Attack Chain
- Step 1: Malware injects a hidden HTML div with an anchor link into the WordPress site.
- Step 2: A JavaScript function is executed that creates a CSS rule to hide the div from view.
- Step 3: The hidden div remains in the DOM, allowing search engines to index the SEO spam link.
Code Signature(s)
FILE: malware-sample.js
<div id="M6bMm64IekltUmnGh3vrm9"><p><a href="https://andrikofarmakeio.com/">κοιτάξτε εδώ</a></p></div><script type="text/javascript">function oeYR5CtKOu7Yvb(){var mbO=document.getElementsByTagName('hea'+'d')[0];var JRm='#M6bMm64IekltUmnGh3vrm9{margin:0px 20px;position:fixed;overflow:hidden;top:-152413851px;display:block;z-index:412406018;}';var Ika8H=document.createElement('st'+'yl'+'e');Ika8H.type='text/css';if(Ika8H.styleSheet){Ika8H.styleSheet.cssText=JRm}else{Ika8H.appendChild(document.createTextNode(JRm))}mbO.appendChild(Ika8H)}oeYR5CtKOu7Yvb();</script>Indicators of Compromise (IOCs)
https://andrikofarmakeio.com/#M6bMm64IekltUmnGh3vrm9oeYR5CtKOu7Yvb()
Removal Protocol
- Step 1: Identify and remove malicious script injections from affected theme or plugin files.
- Step 2: Search the database for any injected links or scripts and remove them.
- Step 3: Install a WordPress security plugin to prevent future injections.
Status: Active Threat.
Verification: Verified by MD Pabel.