Massive “DollyWay” Malware Attack Compromises 20,000+ WordPress Sites Worldwide

A significant malware operation, dubbed “DollyWay,” has been uncovered by GoDaddy Security researchers, revealing a sophisticated campaign that has compromised over 20,000 WordPress sites globally.

This operation, which began in 2016, leverages a distributed network of compromised WordPress sites as Traffic Direction System (TDS) and Command and Control (C2) nodes.

The malware’s latest iteration, DollyWay v3, employs advanced techniques such as cryptographically signed data transfers, heterogeneous injection methods, and automatic reinfection mechanisms to maintain control over infected sites.

Sophisticated Malware Techniques

DollyWay v3 primarily targets visitors of infected WordPress sites by injecting redirect scripts that funnel traffic through VexTrio, a major cybercriminal affiliate network.

The malware uses a four-stage injection chain to evade detection.

Initially, it appends a dynamically generated script to the site’s main URL, which then loads subsequent scripts that collect referrer information and eventually redirect users to scam pages.

The malware also removes competing malware and updates WordPress to ensure its persistence.

The reinfection mechanism is particularly sophisticated, involving the injection of malicious PHP code into active plugins and WPCode snippets.

According to the Report, this code is re-obfuscated regularly to evade detection, making removal challenging.

Additionally, the malware creates malicious admin users with random hexadecimal usernames and email addresses, further complicating cleanup efforts.

Command and Control Infrastructure

DollyWay maintains its infrastructure through encoded WordPress options, storing settings in a sophisticated format.

The malware updates its node list daily using cryptographic signatures to verify data integrity.

This ensures that only authorized updates are applied, protecting the malware’s control over compromised sites.

The use of compromised WordPress sites as C2/TDS nodes allows the malware to adapt and evolve, making it a formidable threat in the cybersecurity landscape.

The ongoing evolution of DollyWay highlights the increasing sophistication of malware campaigns and the need for robust security measures to protect against such threats.

As the campaign continues to adapt, it remains a significant concern for WordPress site owners and cybersecurity professionals alike.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup – Try for Free