Experts of the Chinese company Qihoo 360 found an interesting scam: hacked WordPress sites are infected with the Linux.Ngioweb malware, and then these resources are used by the Free-Socks[.]in commercial proxy service. Essentially, users relying on Free-Socks proxies are routing their traffic through a network of hacked sites scattered around the world.
Researchers write that compromised sites infect a web shell (working as a backdoor) and Linux.Ngioweb malware, which is a proxy agent.
Linux.Ngioweb has two separate control servers. The first one (Stage-1) is used to manage all infected sites (bots). The second set of servers (Stage-2) are backconnect proxies between the Free-Socks service and infected sites. It is Stage-2 that redirects client traffic to hacked WordPress sites.
It is noted that Linux.Ngioweb is actually a malware ported to Linux Win32.Ngioweb, discovered in August 2018 by Check Point experts. The Windows version of the malware was also a proxy bot that worked in a similar way. The main difference of the Linux variation is the use of DGA (Domain Generation Algorithm), with the help of which new domains for Stage-1 servers are generated every day.
By hacking the DGA used by the attackers, experts were able to assess the scale of what was happening. During the observation period, analysts managed to detect 2692 compromised WordPress sites, more than half of which were located in the United States.
Currently, all hacked sites have been cleared of malware and returned to normal operation. A list of IP addresses and other indicators of compromise can be found in the experts' report.