The malware does its best to obfuscate SEO injection in WordPress and evade notice from web admins.

A clever malware built for SEO injection – where a black hat loads up a webpage with spammy links, redirects and ad keywords, unbeknownst to the site owner – has been seen evading detection with an innovative approach that involves appending itself in an unusual place in the back-end code of a WordPress site.

Researchers at Sucuri have seen the malware crop up in two unrelated sites recently, targeting both English- and Korean-speaking searchers who are looking for various “free” downloads.

Upon analysis, the researchers discovered that the malware has two functions. First, it can add hidden links for indexing by search engines (a process that usually violates search engine terms of service and could result in blacklisting of the site); and secondly, it can redirect site visitors to spam content. The latter function is more advanced than usual, because it only redirects unregistered site users (presumably one-time visitors who wouldn’t flag the issue to the webmaster). And, it redirects visitors to certain pages based on their profile.

So, malefactors can inject SEO terms – hidden from site users – into the web page’s code, which will be indexed and move the site up in the search engine results. That improves the exposure for the true purpose of the campaign, which is to redirect visitors to sketchy external sites, which could be carrying out ad fraud or serving malware, among other things.

A Savvy Approach

Typically, SEO injection involves either injecting HTML code for concealed elements in theme files or injecting fake spam posts in the WordPress database, according to Sucuri – and in both cases, the injection is simple to uncover with either a file search or a keyword search within WordPress.

“Infections are usually found via a simple file search for the terms attackers inject on the page,” the researchers explained in a Monday posting. “Did you find SEO spam for luxury handbags on your site? Search your files for that term and bang, there it is.” From there, site owners can simply delete the rogue content and then submit the site for blacklist review/SEO reindexing.

In this case, the malware creates a special repository in the site’s database to store spam content and information about logged in visitors; so, rather than just uploading spam posts into the normal dashboard, these use a different prefix from legitimate WordPress content. That means the posts won’t load or show up on a site’s admin dashboard.

When a visitor hits the site, the malware then hijacks the normal WordPress database connection that would occur when loading a page, and redirects that connection to the hidden area to fetch links to the spam posts. It then appends these links to the legitimate content before sending it back to the visitor’s browser.

“The attacker was smart enough to return the database connection to the default tables before handing back the control so WordPress’ default flow can proceed ‘normally,'” researchers explained. “The injected links are invisible to human visitors, but search engines crawl and index them and they become search results.”

In order to redirect visitors to third-party sites based on profile, the malware authors have added special JavaScript links into the spam posts that allow then to inject redirect scrips into the posts on the fly.

“[For instance], a request to the hacker-controlled my-game[.]biz site is made to fetch additional customized code based on the visitors IP address, referrer and browser’s User-Agent string,” Sucuri explained.

It also appends the SEO spam right after the closing HTML tag, making it difficult to easily find the malware.

“After some extensive searches, we noticed a suspicious code block on the theme’s functions.php file loading content from the WordPress’s wp_options table,” the researchers noted. “The code itself looks suspicious, as it silently executes part of the content fetched from the database. On top of that, it loads a theme_css option, which is not how CSS is usually loaded on a typical WordPress theme. Searching the database for that option, we found the malware itself.”

While Sucuri itself found two specific samples in the wild, it performed a PublicWWW search (a search engine that crawls source code) and uncovered 173 hacked sites with the malware installed.

“Hacked sites affected by this kind of black hat SEO campaign can get links from around a thousand sites overnight,” the researchers said.

Site owners will have to do a little more than a search to clean up the infection: They’ll need to find and remove the malicious code from the theme’s functions.php, Sucuri noted; and then, find and remove the themes_css option, which may have been given a random name. And finally, admins should check their WordPress database for tables with unknown prefixes.