- Malware hides payload in Steam community comments
- WordPress Sites Used to Host Backdoors
- Nearly 2,000 sites compromised since July
Security researchers at GoDaddy have discovered a brazen new malware campaign that used comments from Steam community accounts as command and control (C2) infrastructure.
Here’s how the attack works: Attackers would first find vulnerable WordPress websites, or those protected by weak credentials, and use them to host PHP malware somewhere in the site’s files. For example, the example was found in a theme’s “functions.php” file. This malware contains both a JavaScript injection component and a server-side backdoor.
Then, every time a visitor loads the infected website, the malware contacts one of the many Steam community profiles and downloads the profile’s comment content. On the surface, these comments seem harmless (although inconsistent), but they also contain invisible Unicode characters that carry the actual payload.
Industry Support
“This encoding allows binary data to be embedded in normal-looking text. Visible characters serve as camouflage while invisible characters carry the actual payload,” GoDaddy said.
The malware then extracts the characters, converts them to binary data, and reconstructs the original bytes. Researchers discovered that this scraped data contains a URL controlled by the attackers, which points to a domain hosting a JavaScript file spoofing a legitimate library.
The malware then uses WordPress to load attacker-controlled JavaScript on each front-end page, which visitors’ browsers then download and execute, thereby infecting themselves.
In the campaign, there are two sets of targets: vulnerable WordPress sites and their visitors. Since the campaign was discovered in July last year, GoDaddy said it had found nearly 2,000 compromised WordPress sites. Unfortunately, the research report does not describe the effects of the malware on visitors.
If you’re running a WordPress website, GoDaddy recommends checking references to Steam community URLs, external JavaScript injections, and outbound connections from WordPress to Steam.
Via BeepComputer
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds.
