CyberWire Daily - BabaYaga strangely symbiotic Wordpress malware. [Research Saturday]
Episode Date: July 28, 2018Researchers at Defiant recently analyzed a malware family they named "BabaYaga," which has the curious behavior of clearing out other malware and keeping infected sites up to date. Brad Hass is a seni...or security analyst at Defiant, and he guides us through their findings. The research can be found here: https://www.wordfence.com/blog/2018/06/babayaga-wordpress-malware/ Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and
analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface with public-facing IPs that are exploited by bad actors
more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust plus AI stops attackers
by hiding your attack surface,
making apps and IPs invisible,
eliminating lateral movement,
connecting users only to specific apps,
not the entire network,
continuously verifying every request
based on identity and context,
simplifying security management
with AI-powered automation,
and detecting threats using AI
to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
I am kind of a technical lead with the team that handles site cleaning for WordFence.
That's Brad Haas. He's a senior security analyst at Defiant.
The research we're discussing today is titled Baba Yaga, the WordPress malware that eats other malware. We collect the information that we can gather from a hacked
website and from all the different cases we work on, we collect the threat data together and we
can correlate it and analyze it and try and figure out what's happening with any given set of malware
or, you know, if we notice a trend or whatever, we can start looking into it and try and get the
bigger picture about it. So this was the product of one of those efforts.
You know, this is malware that we've seen on all kinds of different sites for a long
period of time.
So it piqued our interest and we started digging deeper into it.
So besides being fun to say, why the name Baba Yaga?
That was a suggestion by my boss, Mark Monder. We were discussing
possible names that we could give it. And we were looking at names that reflected its, I guess,
the personality of the malware. So we were thinking about trying to name it after an animal that eats
other animals of its kind or something like that. But I mentioned that it does have Russian background.
So he came up with the name Baba Yaga as a mythical beast from Slavic folklore.
I see.
So let's walk through exactly what we're dealing with here.
Why don't we start with how would someone find themselves infected with this?
Have you determined what the infection vector is?
There are a number of different attacks that this group seems to use.
And I think this is the case probably for most hacker groups
that are targeting WordPress websites,
that they throw everything they can at them, basically.
The typical WordPress site
doesn't have a lot of protection in place.
Most sites, I think,
they belong to small organizations
or their personal websites or things like that.
So there's no active monitoring or really advanced protection.
And so hackers are able to just shotgun all kinds of different attacks at a website and just see what sticks.
And so with this group, we've seen evidence that they use various exploits of outdated plugins and things like that.
Like I said, they can just try all kinds of different exploits against a site, whether
the site actually runs those plugins or not, and see if anything works.
And then the other big thing that they use is attacks related to passwords.
And so they're trying to get sites that are using weak passwords or especially ones where passwords have been leaked as part of a data breach from a different organization.
If somebody uses a password at one place that gets hacked and they use the same password on their WordPress site, that's one of the ways that this group seems to break into WordPress sites.
Let's dig into what exactly is going on here.
Give us an overview.
What's the functionality and what are they trying to accomplish?
So the primary goal of the malware that we've seen is to basically just put spam out there.
We've seen a couple of different schemes for it, but ultimately what they're trying to do is make money from either referrals or affiliate programs, basically of
services, whether those services are legitimate or not. So they compromise WordPress site and
make sure that it's in good working order. The malware does this, it can remove other malware
and it can actually update WordPress and make sure that it's working as expected. And then the code will respond
differently to a search engine than it will to real human traffic. So when a search engine comes
to the site, the infected site, the search engine sees pages or documents full of links that are
designed to manipulate and boost the rank of this spam,
therefore driving traffic to these other programs that ultimately get affiliate revenue for the
hackers. And when a person who's not a search engine hits the site, what happens then?
For the most part, the site behaves normally. The malware is kind of designed to fly under the radar. So they're
trying to avoid detection. So if a person finds a real page on the site that the hackers didn't
create, that's just a real part of the site, then the site behaves normally. But if a person happens
to find one of those spam backlinks that the hackers have created.
And if they follow that link to the infected site,
then they'll actually get redirected to the service.
Like the one that we saw that we mentioned in the paper was an essay writing service.
That service has an affiliate program where if a person signs up,
then the hacker gets $15 or something. So if a person happens to follow one of those spam links into an infected site,
they'll get redirected to that essay writing service
and the hackers hope that they'll sign up and pay for the service.
Now there's some interesting things going on here in terms of the hackers hiding their code
and also having some redundancy to try to maintain persistence.
Can you take us through what was going on with that?
Yeah, it's something that's fairly common with WordPress malware,
that the hackers, they want to make sure that they maintain access to a site
no matter what happens, basically.
So there's a number of different ways that the Baba Yaga malware
tries to guarantee that the hackers will maintain their access to an infected site.
They have different backdoor files that they kind of sprinkle around the site and they're
designed to blend in with legitimate WordPress files. So they name the files in a way that
looks very similar to legitimate WordPress files. They take code out of core WordPress files
and then they put it into their backdoor files,
but commented.
So if you just glance at a file,
it really looks like a real core WordPress file.
But there's just subtle little bits of code
that are hidden that are actually malicious
and those enable the hackers to come back in and reinfect
the site so even if somebody notices the extra files that the hacker has created you know these
backdoors are designed to make it so that the hackers can come back in and recreate those easily
so they they have those hidden backdoors they also have a few other ones that they
like i said,
they just kind of sprinkle them liberally through an infected site
just to try to make sure that even if somebody notices they've been hacked
and tries to take steps to clean it up,
the hackers hope that they will miss something
and then the hackers will be able to get back into the site.
And what's going on in terms of communications with a command and control server? They have a command and control server set up for both the backdoor that they have
and also the primary malware that actually does the search manipulation bit. So the backdoor has
a command and control server that it can talk to and it collects information about the site and can report it to the command and control server.
It can get newer versions of the malware and update itself.
Really, it's just like any other well-developed piece of software.
It's able to check for updates and install updates and look for any new instructions that the hackers have set up for infected sites. So it will
periodically check in or, you know, that the hackers can kind of sweep by and force it to
check in and make changes if they wanted to. And then the code that's responsible for the
search engine manipulation also talks to a different command and control server.
And that's where it kind of reports on the search performance of the site.
And it will go there and fetch whatever spam the hacker wants to put out there into the world.
So, you know, maybe today it's SA writing services.
Maybe tomorrow they find a different affiliate program that will get them more money
than the malware will go fetch that content and start
presenting that to search engines instead. It was interesting too, you discovered that
there's some runtime measurement built in to kind of keep the software running below the radar,
I suppose? I think that's probably the purpose of it because a lot of web hosting companies will
penalize a website if it's using too many server resources or if it has a
script running for too long of a time. And part of the backdoor code involves crawling up from
the directory where a website lives and trying to discover other websites, you know, maybe that are
part of the same hosting account to infect those as well.
In a large account, that could involve quite a lot of directories to crawl through and try and discover sites.
So yeah, I think performance is just as much an issue that the authors of this malware have to deal with as any other developer.
So they're trying to measure their performance and presumably make their software work as quickly as possible.
Because there are a lot of constraints in the typical hosting environment.
They're trying to make sure that one customer's resource usage doesn't get out of control and affect things for everyone else.
So the malware authors have to operate in that same environment.
So that involves some trade-offs of performance versus having their code do whatever they want.
It was interesting to me also that this malware
can perform backups and upgrades.
What's going on with that?
Since the purpose of the malware is to manipulate search engines
and drive traffic to the services that they want. They need websites to be in good
working order. And so part of that is to be able to upgrade WordPress or reinstall WordPress. If
it happens to not be working for some reason, I assume they would run this code to update or fix
it. At first, we didn't know ultimately what the malware was doing.
When I started the analysis, I was looking at that code first that fixes WordPress or
updates or reinstalls it. And I had no idea why it would want to do that. But eventually,
we discovered the reason for its existence is to have search engines crawl and index these spam results
so that the malware authors need the website to be in good working order.
Otherwise, the search engine, the spam won't get indexed
or maybe the search engine will ignore the site
because it's broken or something like that.
So part of the effort to make sure the site works
is to be able to fix WordPress or update it. And then
the other part of that was to search for any existing malware and delete it. Yeah, take us
through that. I mean, do you think it's looking for competition or is it part of that effort to
keep things up and running without drawing any attention to the site? I think it's both. At first
I saw that code and I figured that the author of baba yaga was the same
author of all of this other malware that it's checking for you know maybe they had older stuff
they were wanting to remove but as you know again as the purpose of the malware became clear
i realized that what it's probably doing is removing competition not necessarily because
the author has anything against these other malware authors,
but again, just to make sure the site doesn't do anything that will prevent it from being indexed
by search engines. So it looks like a malware scanner. It looks like some of these WordPress
security plugins, a little bit like WordFence, even that it has these signatures that belong to
common other malware. And if it finds them, then it can run this code that deletes that malware
out of a file and restore the file to its original uninfected state. There's also some
code that looks for simple defacements, which is where
someone has broken into a site and just rewrites the index file with hacked by whoever.
So it looks for any of those and it just deletes those. And then if possible,
it'll restore whatever file is overwritten by the defacement. So it's going for a few different things there.
And like you said, it's both removing competition, but also trying to avoid notice.
Because really what they want to do is make sure nobody really notices the websites are getting hacked.
And the search engines don't notice that anything strange is going on.
They'll just go ahead and index those spam pages
and drive the traffic that the hackers want.
Then everybody wins, I guess.
Well, that's an interesting way to frame it too,
because if I'm running a WordPress site
that gets infected with Baba Yaga,
am I likely to know?
Are there going to be any performance issues?
How will I know that there's a problem?
Will I even know there's a problem?
I don't think that there would be a way for you to notice
unless you're either running a security product like WordFence
or maybe if you're really actively monitoring your performance in search results,
then you might notice some of these spam pages starting to show up
in the search results for
your site. But otherwise, if you're not taking some kind of active measure to really watch for
changes to your code or changes to the pages that your site is generating or the search results
for your site, then I don't think that you'd probably ever notice.
for your site than I don't think that you'd probably ever notice.
It's interesting in your research, you use the phrase that it's a symbiotic relationship.
And I think that's interesting because I can see if we just sort of put aside the fact that malware is bad, if I'm running my site and someone is doing updates for me and backups for me and
making sure that my site isn't infected with other malware.
The performance of my site hasn't been affected and I don't even notice that anything's going on
here. It's a funny thing to think about, isn't it? Do we actually have a problem?
It is. It's a very unusual question that I don't think I've seen come up in any of the other
malware that I've researched. There is a problem, obviously, because it is someone else using websites that belong to other people, and that's not okay.
That's never okay.
And obviously, if something came up that was even less ethical, I'm sure that they would switch to that.
If there was some kind of way to use these sites
to attack something and make more money that way, I imagine they wouldn't have any qualms about
switching to that instead. Right. So let's not fool ourselves into thinking that they're doing
this for anyone's benefit but their own. Right. Right. And the other thing is that the way that
they are manipulating search engine ranking is also going to harm other organizations that would
be competing that aren't doing this kind of shady work. So if you have some honest essay writing
service and you're just writing genuine content to try and promote yourself or whatever, then I
think that the spam code that we saw when we were analyzing it would probably just roll right over you and then the hackers win at your expense.
Right, right.
So what are your recommendations for people to protect themselves against this?
Well, my first recommendation for anyone using a WordPress site, obviously, is to use a security plugin.
I have to recommend WordFence. I think it's the
best out there. You're completely unbiased. Right. Yes. Of course. Scientifically.
As security professionals, we always talk a lot about defense and depth. So there has to be a
broader awareness of security as part of the entire way that you run a website. So running WordFence or whatever
security product is part of it, sure. But there is also, you have to make sure that you use secure
password practices. You can't use a weak password on your website or it will eventually get guessed.
The hackers will guess it and we'll break in. You can't use the same password on your website or it will eventually get guessed. The hackers will guess
it and we'll break in. You can't use the same password for your website as you use for any
other account. You just can't do that anymore. Maybe a decade ago, that would have been okay
or something. But in this age of massive data breaches and password leaks. You just can't do that. So using a password manager is something that I would also really wholeheartedly recommend.
If you don't do that already, now is the time to start.
And that includes the password that you use to log in and do administration on your website.
Another really important thing, obviously, is to keep your website up to date.
And that includes WordPress, every plugin or theme.
Just make that part of the life of your website.
It's just consistently checking for updates and applying them as soon as possible.
Because part of the benefit of that is you may notice problems sooner, you know, if your site has been compromised or something that can help.
You know, if your site has been compromised or something that can help.
And the other part is, of course, protecting it in the first place from outdated, maybe vulnerable plug-in you might have.
Updating can patch those vulnerabilities and help protect your site.
Our thanks to Brad Haas from Defiant for joining us. The research is titled Baba Yaga, the WordPress malware that eats other malware.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker
is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Bond,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Valecki, Gina Johnson, Bennett Moe, Chris
Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening.