GoDaddy researchers have reported malware infecting almost 2000 WordPress sites that employs steganographic comments hosted on Valve’s Steam platform to acquire its command-and-control instructions.
Rather than relying on self-hosted infrastructure, attackers embedded C2 instructions inside public Steam community and profile comments, hiding these using several invisible Unicode characters. The malware was designed to fetch Steam comments, strip them of visible characters, and decode the invisible Unicode characters into a binary stream which could then be read to extract the payload.
The instructions contained in these comments were further obfuscated, with the payload pointing to a JavaScript file called ‘lodash.core.min.js’, meant to mimic a popular JS library.
The malware is afterwards able to maintain persistence on the server-side even after partial clean-ups, update itself, and continue to read and inject code into the site’s files and directories.
Here, William Wright, CEO of Closed Door Security, responds to the news: “The extensive use of obfuscation and steganographic techniques in this attack shows a clear desire by threat actors to cover their tracks in order to establish and maintain access to infected sites.
The use of public Steam content in lieu of a more traditional host for command-and-control infrastructure is likely a part of this effort. Steam is a trusted store front for distributing PC games, and Valve provides a large amount of hosting for user generated content to complement its social features, with relatively lax spam moderation compared to some platforms.
This means the platform can act as a cheap alternative to more overt hosting infrastructure, laundering the service’s trusted domains; moreover users regularly post ASCII art created with Unicode characters to the platform, meaning that the non-rendering Unicode characters used to encode the C2 payload are unlikely to trigger spam or moderation filters.
Because of the malware’s ability to maintain persistence inside servers, infected sites need to be restored from known clean backups. Site admins and operators moving forward need to be wary of outbound connections to unexpected domains, even if these are legitimate and connected with larger companies and brands.”
WordPress malware campaign hides payloads in Steam profiles – BleepingComputer
For more cybersecurity news, click here
