NES Africa Group

QUESTIONS? CALL: +27 (87) 898 8824
  • Support Tickets
  • Get a Quote
  • HOME
  • SERVICES
    • ONLINE MARKETING
      • Web Design
      • Search Engine Optimization
      • Monthly Retainer Plans
      • Website Service Sign up
      • Portfolio
    • WEB HOSTING
      • Web Hosting
      • Hosting Sign up
    • IT SOLUTIONS
      • PC & Network Support
      • Monthly Retainer Plans
    • OUR POLICIES & OTHER
      • Terms & Conditions
      • Privacy Policy
  • F.A.Q
  • Blog
  • CONTACT
  • Home
  • What’s Trending
  • News
  • BabaYaga: The WordPress malware that eats other malware
June 15, 2025

BabaYaga: The WordPress malware that eats other malware

Wednesday, 06 June 2018 / Published in News, Security

BabaYaga: The WordPress malware that eats other malware

Recently, Defiant’s analysts have been tracking a particularly sophisticated malware infection responsible for generating spam links and redirection, while still remaining relatively difficult for victims to detect.

Dubbed “BabaYaga” by Defiant’s team, this infection is notable for containing code capable of removing its competition. BabaYaga actually has the ability to remove other malware.

While this malware isn’t brand new, it caught some attention with a wide array of features conducive to persistent infection. None of these countermeasures are groundbreaking individually, but taken as a whole they comprise a suite of functionality unusually comprehensive and effective for spam droppers.

In today’s post, Defiant have published a comprehensive white paper on the functioning and detection of BabaYaga. The paper includes a breakdown of the functions the malware provides, including its ability to maintain WordPress and detect and remove other malware variants. Included are indicators of compromise in the form of YARA signatures, IPs and hostnames, in an appendix.

This accompanying blog post provides a summary of Definat’s findings for WordPress site owners.

The Payload

BabaYaga’s primary function is to generate spam content to be hosted on the victim’s site. These pages are loaded with keyword-heavy and meaningless word salad, designed to attract search engine traffic based on those keywords.

In the sample case that was studied, the target market was a common one for spammers: essay writing services.

The payoff for these spammers comes in the form of affiliate marketing services. When a human visitor reaches an infected page of the site after following a link from a search, embedded JavaScript executes a malicious redirect to an affiliate site. Any purchases made at the destination site generate income for the attacker, and at that point it becomes a numbers game.

While the majority of readers are probably savvy enough to identify a malicious redirect to a suspicious site and leave, a modest number of less-observant individuals would result in a respectable payout for the adversary.

Persistent Infection

As noted above, BabaYaga’s novelty stems from the use of a number of countermeasures, each with the intention of ensuring that it remains active on its host.

The infection’s primary files, responsible for generating spam content, each contain identical copies of the same code but obfuscated (hidden) with different techniques. This redundancy affords the attacker with some level of insurance that if one or more infected files are caught and remediated, there may still be more that went undetected.

These files feature a number of backdoor functions that can facilitate launching a complete reinfection if a single infected file is still present.

Some of the persistence features present in the BabaYaga infection include:

  • “Phone-home” features, which allow the script to pull down new, potentially updated copies of itself from a control server.
  • Two distinct file uploaders, used by attackers to manually upload arbitrary files to victims’ sites.
  • Shared-directory spreading, automatically infecting multiple sites within the same parent directory structure typical to shared hosting accounts.
  • WSO Shell, a popular and full-featured PHP web shell which gives an attacker access to a file manager, shell command execution, and more.
  • Several instances of placeholder index files — the “Silence is golden.” files commonly found in theme and plugin directories — have arbitrary remote code execution functions injected into them.

Together, all of these measures give the attacker plenty of options to choose from to reestablish an infection, or make changes to the functionality of the infection itself.

Symbiosis

Because so much of the primary functionality of BabaYaga executes alongside WordPress on page load, it requires the application to be working properly. If something breaks WordPress, then the malicious scripts don’t get executed when a page is visited.

To this end, BabaYaga employs two features which would actually be helpful were it not for the malicious intent:

First, the malware includes features which the attacker can use to repair or upgrade the WordPress application software itself. It even handles the creation and cleanup of backup files, in the event that an upgrade fails.

Second, BabaYaga features more than one block of code used for rudimentary malware identification and removal. In other words, BabaYaga contains its own anti-malware feature to remove other malware that may break a site it occupies.

The rationale is simple: a good parasite wants to keep its host alive. If everything is up and working properly, the owner of an affected site can go without knowing anything is wrong indefinitely. However, if a less stealthy attacker finds their way in, or the site goes down for any number of other reasons, the site’s administrator will be forced to take a closer look at what is happening.

An admin investigating the site’s filesystem may stumble across an indicator of compromise, which obviously isn’t ideal for BabaYaga, so it does some housekeeping to avoid detection.

Source: Wordfence

What you can read next

A Non-Designer’s guide to hiring a great Web Designer
Android malware that can infiltrate corporate networks is spreading
Facebook will use Whatsapp users’ personal data to target ads

Featured Posts

  • 4.8 million affected by Chrome Extension attacks targeting site owners

    During the past 3 months, eight Chrome browser ...
  • The IoT can make a major impact on Africa

    “The Internet of Things (IoT), which bridges th...
  • Decreasing fibre installation costs

    South Africa is currently experiencing phenomen...
  • FTTX adds tremendous value to communities

    South Africa has recently seen fast-paced devel...

Categories

  • Hardware
  • Memory
  • Mobile
  • Networking
  • News
  • Operating Systems
  • Security
  • Software
  • Web Design

Tag Cloud

Business Mobile Networking Security Storage Website

GET A FREE QUOTE

Please fill this form and we'll get back to you as soon as possible!

GET IN TOUCH

 Tel: +27 (87) 148 9313
 Fax: +27 (86) 539 4009

 Email: tech@nes-africa.com
 Email: support@nes-africa.com

SERVICES

  • Web Design + Packages
  • Unlimited Web Hosting
  • Monthly Retainer Website Maintenance Plans
  • IT Technical Support + Network Services
  • Support Tickets
  • GET SOCIAL
NES Africa Group

© 2015 - 2024. All rights reserved. A Division of NES Africa Group.

TOP