- Malware hides payload in Steam Community comments
- WordPress sites are used to host backdoors
- Nearly 2,000 websites compromised since July
Security researchers from GoDaddy found a brazen new malware campaign that used comments from Steam Community accounts as command-and-control (C2) infrastructure.
Here’s how the attack plays out: The attackers would first find vulnerable WordPress sites, or those protected by weak credentials, and use them to host PHP malware somewhere in the site’s files. For example, the sample was found in a theme’s ‘functions.php’ file. This malware contains both a JavaScript injection component and a server-side backdoor.
Then, when a visitor loads the infected website, the malware contacts one of several Steam community profiles and downloads the content of profile comments. On the surface, these comments look harmless (albeit incoherent), but they also contain invisible Unicode characters that carry the actual payload.
Industry support
“This encoding allows binary data to be embedded in normal-looking text. The visible characters serve as camouflage, while the invisible characters carry the actual payload,” GoDaddy said.
The malware then extracts the characters, converts them to binary data, and reconstructs the original bytes. The researchers found that this recovered data contains a URL controlled by the attackers that points to a domain hosting a JavaScript file that spoofs a legitimate library.
The malware then uses WordPress to load the hacker-controlled JavaScript on each front-end page, which visitors’ browsers then download and run, infecting itself in the process.
In the campaign, there are two sets of targets – vulnerable WordPress sites and their visitors. Since revealing the campaign last July, GoDaddy said it found nearly 2,000 compromised WordPress sites. Unfortunately, the research report stops short of describing what the malware does to visitors.
If you run a WordPress site, GoDaddy recommends checking for references to Steam community URLs, external JavaScript injections, and outbound connections from WordPress to Steam.
Via Bleeping Computer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
