The BabaYaga malware infects websites that use WordPress, one of the most popular content management systems. Although the malware has existed for quite some time, it was recently highlighted again because WordPress site infections have continued to be a major problem– hosting malware to be delivered to targeted victims through links in phishing messages. BabaYaga, named for a mythical Russian character, has more advanced capabilities than most other malware that targets WordPress. After it infects a website, it creates a backup, updates WordPress to the latest version to keep other malware out, and actively seeks out and removes competing malware. It hides in plain sight, using filenames that blend in with other common WordPress files, and contains functionality to automatically reinstall itself if it is discovered and removed.
Analyst Comments: This malware is not new, but it is worth the attention of defenders. Binary Defense analysts have detected malware distributed through many compromised WordPress sites recently, used as a component of malware phishing operations. Phishing campaigns use links to malicious files such as macro-laded Word or Excel files hosted on compromised websites, often disguised behind URL re-write rules to make the link appear unsuspicious by not including a filename as part of the URL. Some URLs download malicious files via the email body, while others are included in an otherwise benign document—this evades detection by making it harder for email threat scanners to detect the presence of the URL. Owners of WordPress sites should consider using the auto-update feature to keep their WordPress site patched and use a file integrity monitoring program or service to alert if new and unexpected files are uploaded to the WordPress site.
For more information on BabaYaga: https://securityboulevard.com/2019/12/malware-spotlight-what-is-babayaga