SBN

Malware Spotlight: What is BabaYaga?

Introduction

In traditional Slavic cultures, Baba Yaga is an entity that haunts the dreams of children and a common threat that parents use when their children misbehave. But in the world of malware, BabaYaga is a form of malware that can update itself, use antivirus functionality and more. Much like the mythical creature, BabaYaga malware has the potential to haunt WordPress administrators and IT support staff. 

This article will explore BabaYaga: what it is and how it works. We’ll conclude with a discussion of the need to widely recognize BabaYaga as a new malware type. 

DevOps Connect:DevSecOps @ RSAC 2022

What is BabaYaga?

BabaYaga is a malware variant and the first of a new malware type: malware-destroying malware. It infects WordPress, Drupal, Joomla and generic PHP websites. 

The focus of BabaYaga lies in the realm of SEO. BabaYaga can direct traffic to compromised sites — more accurately, to the hidden pages it contains. These hidden pages then redirect this traffic to affiliate marketing links. If the compromised user ends up purchasing an advertised product, the attackers will make a profit on the sale

You may be thinking this is just another kind of WordPress malware and all you have to worry about is changing your password regularly. Guess again: BabaYaga is in a class all its own. In fact, BabaYaga has the unique ability to remove other malware. Once dug in as an infection, it can self-update WordPress (some may see this as a positive!) and even clean up after itself. 

Discovered by the security researchers responsible for the Wordfence security plugin at Deviant, BabaYaga was so sophisticated and interesting that they released a whitepaper with a deep analysis of it. The whitepaper was written to assist WordPress administrators and threat analysts with this emerging type of malware. 

How (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Greg Belding. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/kQ_kj5Zp9Q8/