Full Report
A malware operation dubbed 'DollyWay' has been underway since 2016, compromising over 20,000 WordPress sites globally to redirect users to malicious sites. [...]
Analysis Summary
# Incident Report: DollyWay Malware Campaign Targeting WordPress Sites
## Executive Summary
The DollyWay malware campaign successfully breached approximately 20,000 WordPress websites, primarily exploiting outdated or vulnerable installations used by small businesses. The attack involved sophisticated persistence mechanisms, utilizing file injection across plugins and creating hidden administrative accounts, leading to forced redirections of legitimate traffic to scam pages. Response efforts focused on identifying and removing the deeply embedded PHP and obfuscated code across site installations.
## Incident Details
- **Discovery Date:** Not explicitly stated, but reporting suggests active compromise over a period prior to disclosure.
- **Incident Date:** Ongoing campaign spanning an unknown duration.
- **Affected Organization:** Approximately 20,000 WordPress sites globally.
- **Sector:** Various (Web Hosting, Small to Medium Businesses utilizing WordPress).
- **Geography:** Global (affecting any accessible WordPress installation).
## Timeline of Events
### Initial Access
- **Date/Time:** Unknown, preceding active phase.
- **Vector:** Exploitation of vulnerable WordPress installations, likely through known security flaws in outdated versions or plugins.
- **Details:** Attackers gained an initial foothold on the web servers hosting the sites.
### Lateral Movement
- **Details:** Attackers focused on establishing strong persistence *within* the compromised WordPress installation rather than typical network lateral movement. This included injecting malicious PHP code across all active plugins.
### Data Exfiltration/Impact
- **Details:** The primary impact was traffic redirection. Legitimate visitors were redirected to external scam pages (VexTrio or LosPollos scam pages via an intermediary TDS/redirect layer). The malware ensured the attackers monetized this traffic using affiliate tracking parameters.
### Detection & Response
- **How it was discovered:** Analysis conducted by security researchers (GoDaddy is cited as a source of information).
- **Response actions taken:** Disinfection efforts focused on removing injected PHP code, especially from the WPCode plugin instances used for housing obfuscated malware, and locating/deleting hidden administrative users via direct database inspection.
## Attack Methodology
- **Initial Access:** Exploitation of vulnerable WordPress installations.
- **Persistence:** High persistence achieved by spreading core PHP malware code across *all active plugins*. It also installed and heavily obfuscated malicious snippets within a copy of the **WPCode plugin**, which was then hidden from the standard plugin list. Automatic reinfection occurred on every page load.
- **Privilege Escalation:** Creation of hidden administrative users with random 32-character hexadecimal usernames, only visible via direct database inspection.
- **Defense Evasion:** Hiding the malicious WPCode plugin from administrative GUI views; using obfuscation techniques; and implementing conditional redirection logic to bypass passive scanners.
- **Credential Access:** Not explicitly detailed as a primary goal, but administrative account creation suggests access to high-level credentials.
- **Discovery:** Not specified, likely focused on enumerating the WordPress installation structure.
- **Lateral Movement:** Internal persistence within the application environment (plugin files).
- **Collection:** Focused on identifying legitimate, non-bot/non-admin/non-referrer user traffic for redirection purposes.
- **Exfiltration:** Primarily the redirection of visitor traffic to external scam campaigns.
- **Impact:** Financial gain for attackers through referral tracking; loss of reputation and service availability for compromised sites.
## Impact Assessment
- **Financial:** Attackers monetized traffic via affiliate tracking parameters linked to scam pages. Direct costs for site owners were related to cleanup and potential downtime.
- **Data Breach:** No specific PII exfiltration detailed, but modification of site integrity and redirection of user sessions occurred.
- **Operational:** Severe operational disruption for affected site owners due to the difficulty of complete disinfection and constant reinfection.
- **Reputational:** Negative impact on the credibility of the affected WordPress sites.
## Indicators of Compromise
- **Network indicators:** Redirection traffic to intermediary Traffic Distribution Systems (TDS) leading to VexTrio or LosPollos scam domains (specific IoCs not provided).
- **File indicators:** Obfuscated PHP code injected into various plugin files; presence of a hidden, customized version of the WPCode plugin.
- **Behavioral indicators:** Forced HTTP redirections of legitimate users; creation of hidden administrative accounts composed of 32-character hex strings.
## Response Actions
- **Containment measures:** Stopping the automated redirection chain by removing injected code.
- **Eradication steps:** Identifying and deleting all injected PHP malware snippets across all plugins; deleting hidden administrative users found only via database query.
- **Recovery actions:** Reinstalling known-good versions of core WordPress files and plugins, and ensuring the hidden WPCode instance was removed.
## Lessons Learned
- **Key takeaways:** Sophisticated persistence mechanisms (especially dependency on core application features like the WPCode plugin) make clean-up significantly harder than simple file deletion. External redirect logic can evade passive security tooling by requiring user interaction before triggering the final payload.
- **What could have been done better:** Prompt patching of outdated WordPress core, themes, and especially plugins is crucial to prevent initial access.
## Recommendations
- Implement strict File Integrity Monitoring (FIM) solutions specifically tailored to watch WordPress plugin directories for unauthorized code injection.
- Regularly audit the WordPress database directly (wp_users table) for high-privilege accounts with unknown or suspicious naming conventions.
- Ensure all third-party plugins are kept up-to-date; disable or remove unused plugins immediately.
- Implement strong Web Application Firewall (WAF) rules to detect and block known exploit payloads targeting common CMS vulnerabilities.