- Malware hides payload in Steam community comments
- WordPress Sites Used to Host Backdoors
- Almost 2,000 sites compromised since July
GoDaddy security researchers found a bold new malware campaign that used comments made by Steam community accounts as command and control (C2) infrastructure.
Here’s how the attack plays out: Attackers would first find vulnerable WordPress websites, or those protected by weak credentials, and use them to host PHP malware somewhere in the site’s files. For example, the sample was found in the ‘functions.php’ file of a theme. This malware contains a JavaScript injection component and a server-side backdoor.
Then, each time a visitor loads the infected website, the malware contacts one of several Steam Community profiles and downloads the content of the profile’s comments. On a surface level, these comments seem harmless (if incoherent), but they also contain invisible Unicode characters that carry the actual payload.
Industry support
“This encoding allows binary data to be embedded within normal-looking text. The visible characters serve as camouflage while the invisible characters carry the actual payload,” GoDaddy said.
The malware then extracts the characters, converts them to binary data, and reconstructs the original bytes. The researchers discovered that this recovered data contains a URL controlled by the attackers, which points to a domain hosting a JavaScript file that spoofs a legitimate library.
The malware then uses WordPress to load attacker-controlled JavaScript on each front-end page, which visitors’ browsers then download and execute, infecting themselves in the process.
In the campaign, there are two sets of targets: the vulnerable WordPress websites and their visitors. Since discovering the campaign in July last year, GoDaddy said it has found nearly 2,000 compromised WordPress sites. Unfortunately, the research report stops short of describing what the malware does to visitors.
If you run a WordPress website, GoDaddy recommends looking for references to Steam community URLs, external JavaScript injections, as well as outbound connections from WordPress to Steam.
Through beepcomputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.
