Specialists from Defiant (formerly WordFence) published
detailed report about the BabaYaga malware that attacks WordPress sites. The malware not only removes competing malware from infected resources, but also installs updates on victims' websites.
In their report, the researchers say that the Baba Yaga malware, apparently created by Russian-speaking criminals, did not appear recently, it just did not stand out before and did not pose a great danger, but everything changed after the latest updates.
Currently BabaYaga uses infected WordPress sites to inject them pages of SEO traffic and redirecting visitors to various trading platforms that pay malware operators for this. So, if the redirected user makes a purchase on such a site, the attackers make a profit.
The malware includes two main modules. The first one is used to inject spam content onto the pages of infected sites. The second module is a backdoor that allows attackers to gain full control and access to a compromised resource at any time. The researchers note that the malware is written very skillfully and its developers are definitely not newbies. From a technical point of view, BabaYaga can also be used to attack sites running Joomla, Drupal, and even PHP resources, but so far it is completely concentrated on WordPress.
Two features distinguish Babu Yaga from other malware of this kind. First, the malware can remove competing threats from infected sites. Secondly, it is able to install updates and even perform a complete reinstallation of WordPress on the victim's site. Defiant explains that these features are closely related to the spam injection functionality. It is important for the authors of BabaYaga that the site works without bugs, failures and is updated to the latest versions:
“Since the core functionality of BabaYaga is performed along with loading WordPress pages, [the malware] needs the application to work correctly. If something breaks in WordPress, the malicious script will not be able to execute when someone visits the page.”
At the same time, experts emphasize that the update mechanism is not just a useless feature added to the code by accident . BabaYaga makes full use of its capabilities, malware operators closely monitor their campaigns, and the malware even carefully creates backups in case the update fails (if everything went as it should, the backups are deleted).
For the same reasons, BabaYaga gets rid of its competitors. To work, the malware needs a clean, correctly functioning website, while the competitor’s malware can be poorly written, which will cause crashes and interfere with the functioning of BabaYaga. In addition, numerous failures and errors can attract the attention of the site administrator, which is undesirable for intruders, who will eventually discover infection on his resource.