- Goddy has found a malicious campaign infecting 20,000 WordPress sites
- His name is Dollyway, and it’s super persistent
- Dollyway redirects visitors to false games and crypto games
A long -standing super persistent malicious campaign that has infected more than 20,000 WordPress websites in the world has been discovered by experts.
Goddy’s security researchers have nicknamed it “Dollyway World Domination”, which aimed to redirect the vicims to false dates, games of chance, crypto and draw, although, in the past, the campaign has also been used to spread ransomware and banking horses.
Dollyway has been active since at least 2016, says Godaddy, adding today that it generates 10 million impressions each month, collecting solid income for operators. Over the years, he has also improved escape, reinfection and monetization strategies.
Only one threat actor
Dollyway is currently in its third iteration, while the previous ones were more focused on the distribution and phishing of malicious software.
To compromise WordPress websites, Dollyway operators looked for day vulnerabilities in the plugins and themes of the platform. They also used a traffic steering system (TD) to filter and redirect users according to their location, their device and refer them. To ensure that the attackers are paid by redirection, they used the Vextrio and Lospollos networks.
Regarding obscure, Dollyway did a number of things: he only redirected users after clicking on something, in order to escape passive security analyzes. He also did not redirect connected WordPress users, robots and direct visitors who came without references. It was also quite persistent, said Godaddy, because the reinfection would occur with each page charge.
At the beginning, Godaddy’s researchers felt like they were analyzing several groups and various campaigns.
“Although previously considered to be separate campaigns, our research reveals that these attacks share common infrastructure, code models and methods of monetization – all seeming to be linked to a single sophisticated threat player,” concluded the researchers. “The operation was named after the next Tell-Tale chain, which is in certain variations in malware: define (‘dolly_way’, ‘world domination’).”
Via Bleeping Compompute
