EXECUTIVE SUMMARY:[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:[emaillocker id="1283"]
A malware campaign targeting WordPress websites has revealed a stealthy infection chain that evades common detection methods. Unlike typical compromises marked by defacement or suspicious plugin activity, this attack operates silently in the background. The malware uses a combination of obfuscated PHP scripts, IP-based evasion, and layered payload delivery to infect visitors with a Windows-based trojan, demonstrating a new level of complexity and stealth in web-based threats.
The core of the infection resides within two malicious PHP files header.php and man.php deployed across the WordPress environment. The header.php script acts as the central controller, profiling visitors, enforcing an IP blacklist using a count log file, and dynamically generating an obfuscated Windows batch script. This batch file, forced for download via manipulated HTTP headers, orchestrates a multi-stage process on the victim’s machine: downloading a ZIP archive containing a Remote Access Trojan (RAT), extracting its contents using PowerShell commands, executing the payload, and establishing persistence by adding a registry entry to auto-launch the trojan at Windows startup. The man.php file provides an administrative interface for the attacker to monitor and manage the IP blacklist log, including options to view, reset, or append entries. The payload’s persistence mechanisms and evasion techniques, such as avoiding re-infecting the same IP, demonstrate careful design to maintain long-term control and avoid detection.
This exemplifies how threat actors are evolving their tactics to enhance stealth and persistence in web-based malware delivery. By combining web server infection with client-side payload deployment using batch and PowerShell scripts, attackers make detection and remediation more challenging. Website owners should be vigilant for signs of compromise and conduct thorough investigations, as infections like this can lead to the covert takeover of visitor machines, data theft, and prolonged attacker control.
THREAT PROFILE:
| Tactic | Technique Id | Technique | Sub-technique |
| Initial Access | T1190 | Exploit Public-Facing Application | – |
| Execution | T1059.003 | Command and Scripting Interpreter | Windows Command Shell |
| T1059.001 | PowerShell | ||
| Persistence | T1547.001 | Boot or Logon Autostart Execution | Registry Run Keys / Startup Folder |
| Defense Evasion | T1027 | Obfuscated Files or Information | – |
| T1070.004 | Indicator Removal on Host | File Deletion | |
| Discovery | T1082 | System Information Discovery | – |
| T1016 | System Network Configuration Discovery | – | |
| Collection | T1005 | Data from Local System | – |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| T1105 | Ingress Tool Transfer | – |
MBC MAPPING:
| Objective | Behavior ID | Behavior |
| Anti-Behavioral Analysis | B0001 | Debugger Detection |
| B0036 | Capture Evasion | |
| Command and Control | B0030 | C2 Communication |
| Defense Evasion | B0025 | Conditional Execution |
| B0027 | Alternative Installation Location | |
| F0001 | Software Packing | |
| F0005 | Hidden Files and Directories | |
| Discovery | B0013 | Analysis Tool Discovery |
| E1083 | File and Directory Discovery | |
| Execution | B0011 | Remote Commands |
| Persistence | B0022 | Remote Access |
| F0012 | Registry Run Keys / Startup Folder |
REFERENCES:
The following reports contain further technical details:
[/emaillocker]