Sites used by Korean and English-speaking users searching for free downloads have been the target of this tricky malware. Hidden indexing links are added, which then redirects users to spam pages. Once the malware is able to plant the JavaScript code into the page, it enables the programmers to enhance the introduction of their strike and divert guests to unfamiliar sites that could either apply malware or take individual information. There have been two samples in the wild that have been seen at this time, and it is believed to have been installed on 173 different sites. Sites that have been attacked in this form are able to gather links from over a thousand sites in just one night. At the time of this writing, it is not yet known who is behind these attacks, but a development is sure to come in the near future.
Analyst Notes
Users or owners of sites that could possibly be affected must go through the required cleanup process to mitigate the issue. Removal of the malicious code in the function.php theme as well as checking the WordPress for unfamiliar prefixes in the tables. The prefixes would be backupdb_wp_, backupdb_wp_posts and backupdb_wp_lstat.
