Research Saturday 7.28.18
Ep 46 | 7.28.18

BabaYaga strangely symbiotic Wordpress malware.


Dave Bittner: [00:00:03] Hello everyone, and welcome to the CyberWire's Research Saturday presented by the Hewlett Foundation's Cyber Initiative. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, and solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.

Dave Bittner: [00:00:26] And now, a moment to tell you about our sponsor, the Hewlett Foundation's Cyber Initiative. While government and industry focus on the latest cyber threats, we still need more institutions and individuals who take a longer view. They're the people who are helping to create the norms and policies that will keep us all safe in cyberspace. The Cyber Initiative supports a cyber policy field that offers thoughtful solutions to complex challenges for the benefit of societies around the world. Learn more at

Dave Bittner: [00:01:02] And thanks also to our sponsor, Enveil, whose revolutionary ZeroReveal solution closes the last gap in data security, protecting data in use. It's the industry's first and only scalable commercial solution enabling data to remain encrypted throughout the entire processing lifecycle. Imagine being able to analyze, search, and perform calculations on sensitive data, all without ever decrypting anything. All without the risks of theft or inadvertent exposure. What was once only theoretical is now possible with Enveil. Learn more at

Brad Haas: [00:01:42] I am kind of a technical lead with the team that handles site cleaning for Wordfence.

Dave Bittner: [00:01:48] That's Brad Haas. He's a senior security analyst at Defiant. The research we're discussing today is titled "BabaYaga: The WordPress Malware That Eats Other Malware."

Brad Haas: [00:01:59] We collect the information that we can gather from a hacked website, and from all the different cases we work on, we collect the threat data together. And we can correlate it and analyze it, and try and figure out what's happening with any given set of malware, or if we notice a trend or whatever, we can start looking into it, and try and get the bigger picture about it.

Brad Haas: [00:02:22] So this was the product of one of those efforts. You know, this is malware that we've seen on all kinds of different sites for a long period of time, so that piqued our interest and we started digging deeper into it.

Dave Bittner: [00:02:35] So, besides being fun to say, why the name BabaYaga?

Brad Haas: [00:02:40] That was a suggestion by my boss, Mark Maunder. We were discussing possible names that we could give it, and we were looking at names that reflected it's, I guess the personality of the malware, so we were thinking about trying to name it after an animal that eats other animals of its kind, or something like that. I mentioned that it does have Russian background, so he came up with the name "BabaYaga," a mythical beast from Slavic folklore.

Dave Bittner: [00:03:09] I see. So let's walk through exactly what we're dealing with here. Why don't we start with, how would someone find themselves infected with this? Have you determined what the infection vector is?

Brad Haas: [00:03:19] There are a number of different attacks that this group seems to use. And I think this is the case probably for most hacker groups that are targeting WordPress websites, that they throw everything they can at them, basically. The typical WordPress site doesn't have a lot of protection in place. Most sites I think are, they belong to small organizations, or they're personal websites, or things like that. So there's no active monitoring or really advanced protection, and so hackers are able to just shotgun all kinds of different attacks at a website and just see what sticks.

Brad Haas: [00:03:55] And so with this group, we've seen evidence that they use various exploits of outdated plugins, and things like that. Like I said, they can just try all kinds of different exploits against a site, whether the site actually runs those plugins or not, and you know, see if anything works.

Brad Haas: [00:04:12] And then the other big thing that they use is attacks related to passwords. And so, they're trying to get sites that are using weak passwords, or especially ones where passwords have been leaked as part of a data breach from a different organization. So if somebody uses a password at one place that gets hacked, and they use the same password on their WordPress site, that's one of the ways that this group seems to break into WordPress sites.

Dave Bittner: [00:04:39] So let's dig into what exactly is going on here. Give us an overview, what's the functionality and what are they trying to accomplish?

Brad Haas: [00:04:46] So the primary goal of the malware that we've seen is to basically just put spam out there. We've seen a couple of different schemes for it, but ultimately what they're trying to do is make money from either referrals or affiliate programs, basically, of services, whether those services are legitimate or not. So they compromise a WordPress site and make sure that it's in good working order. The malware does this, it can remove other malware and it can actually update WordPress and make sure that it's working as expected.

Brad Haas: [00:05:21] And then the code will respond differently to a search engine than it will to real human traffic. So when a search engine comes to the site--the infected site--the search engine sees pages or documents full of links that are designed to manipulate and boost the rank of this spam, therefore driving traffic to these other programs that ultimately get affiliate revenue for the hackers.

Dave Bittner: [00:05:50] And when a person who's not a search engine hits the site, what happens then?

Brad Haas: [00:05:56] For the most part, the site behaves normally. The malware is kind of designed to fly under the radar, so they're trying to avoid detection. So if a person finds a real page on the site that the hackers didn't create, you know, that's just a real part of the site, then the site behaves normally.

Brad Haas: [00:06:15] But if a person happens to find one of those spam backlinks that the hackers have created, and if they follow that link to the infected site, then they'll actually get redirected to the service, like the one that we saw, that we mentioned in the paper, was an essay-writing service. That service has an affiliate program where if a person signs up, then the hacker gets $15 or something. So if a person happens to follow one of those spam links to an infected site, they'll get redirected to that essay-writing service, and the hackers hope that they'll sign up and pay for the service.

Dave Bittner: [00:06:51] Now there's some interesting things going on here in terms of the hackers hiding their code, and also having some redundancy to try to maintain persistence. Can you take us through what was going on with that?

Brad Haas: [00:07:02] Yeah, it's something that's fairly common with WordPress malware that the hackers, they want to make sure that they maintain access to a site no matter what happens, basically. So there's a number of different ways that the BabaYaga malware tries to guarantee that the hackers will maintain their access to an infected site. They have different backdoor files that they kind of sprinkle around the site, and they're designed to blend in with legitimate WordPress files.

Brad Haas: [00:07:32] So they they name the files in a way that looks very similar to legitimate WordPress files. They take code out of core WordPress files and then they put it into their backdoor files, but commented so if you just glanced at a file it really looks like a real core WordPress file. But there's just subtle, you know, little bits of code that are hidden, that are actually malicious, and those enable the hackers to come back in and reinfect the site. So, even if somebody notices the extra files that the hacker has created, you know, these backdoors are designed to make it so that the hackers can come back and recreate those easily. So they have those hidden backdoors.

Brad Haas: [00:08:19] They also have a few other ones that they, like I said, they just kind of sprinkle them liberally through an infected site, just to try to make sure that, even if somebody notices they've been hacked and tries to take steps to clean it up, the hackers hope that they will miss something, and then the hackers will be able to get back into the site.

Dave Bittner: [00:08:38] And what's going on in terms of communications with a command-and-control server?

Brad Haas: [00:08:43] They have a command-and-control server set up for both the backdoor that they have, and also the primary malware that actually does the search manipulation bit. So the backdoor has a command-and-control server that it can talk to, and it collects information about the site, and can report it to the command-and-control server, it can get newer versions of the malware and update itself.

Brad Haas: [00:09:11] Really, it's just like any other well-developed piece of software. It's able to check for updates, and install updates, and look for any new instructions that the hackers have set up for infected sites. So it will periodically check in or, you know, the hackers can kind of sweep by and force it to check in, and make changes if they wanted to.

Brad Haas: [00:09:33] And then the code that's responsible for the search engine manipulation also talks to a different command-and-control server. And that's where it kind of reports on the search performance of the site, and it will go there and fetch whatever spam the hacker wants to put out there into the world. So, you know, maybe today it's essay-writing services, maybe tomorrow they find a different affiliate program that will get them more money, then the malware will go fetch that content and start presenting that to search engines.

Dave Bittner: [00:10:04] It was interesting too, you discovered that there's some runtime measurement built in to kind of keep the software running below the radar I suppose?

Brad Haas: [00:10:14] I think that's probably the purpose of it, because a lot of web hosting companies will penalize a website if it's using too many server resources, or if it has a script running for too long of a time. And part of the backdoor code involves crawling up from the directory where a website lives, and trying to discover other websites, you know, maybe that are part of the same hosting account, to infect those as well.

Brad Haas: [00:10:42] In a large account, you know, that could involve quite a lot of directories to crawl through and try and discover sites. So yeah, I think performance is just as much a issue that the authors of this malware have to deal with as any other developer. So they're trying to measure their performance and presumably make their software work as quickly as possible.

Brad Haas: [00:11:04] Because there are a lot of constraints in typical hosting environment, they're trying to make sure that one customer's resource usage doesn't get out of control and affect things for everyone else. So the malware authors have to operate in that same environment, so that involves some trade-offs of performance versus having their code do whatever they want.

Dave Bittner: [00:11:25] It was interesting to me also that this malware can perform backups and upgrades. What's going on with that?

Brad Haas: [00:11:33] Since the purpose of the malware is to manipulate search engines and drive traffic to the services that they want, they need websites to be in good working order. And so, part of that is to be able to upgrade WordPress, or reinstall WordPress if it happens to not be working for some reason, I assume they would run this code to update or fix it.

Brad Haas: [00:11:59] At first, we didn't know, ultimately, what the malware was doing. When I started the analysis, I was looking at that code first that fixes WordPress, or updates or reinstalls it, and I had no idea why it would want to do that. But eventually we discovered, you know, the reason for its existence is to have search engines crawl and index these spam results. So the malware authors need the website to be in good working order, otherwise the search engine, you know, this spam won't get indexed, or maybe the search engine will ignore the site because it's broken, or something like that.

Brad Haas: [00:12:36] So, part of the effort to make sure the site works is to be able to fix WordPress or update it, and then the other part of that was to search for any existing malware and delete it.

Dave Bittner: [00:12:47] Yeah. Take us through that, I mean, you think it's looking for competition, or is it part of that effort to keep things up and running without drawing any attention to the site?

Brad Haas: [00:12:56] I think it's both. At first, I saw that code and I figured that the author of BabaYaga was the same author of all of this other malware that it's checking for. You know, maybe they had older stuff they were wanting to remove. But as, you know, again, as the purpose of the malware it became clear, I realized that what it's probably doing is removing competition. Not necessarily because the author has anything against these other malware authors but, again, just to make sure the site doesn't do anything that will prevent it from being indexed by search engines.

Brad Haas: [00:13:33] So, it looks like a malware scanner. It looks like, you know, some of these WordPress security plugins, you know, a little bit like Wordfence even, that it has these signatures that belong to common, other malware. And if it finds them, then it can run this code that deletes that malware out of a file, and you know, restore the file to its original uninfected state.

Brad Haas: [00:13:59] There's also some code that looks for simple defacements, which is where, you know, someone has broken into a site and just, you know, rewrites the index file with "hacked by whoever." So it looks for any of those and it just deletes those. And then, if possible, it'll restore whatever files overwritten by the defacement.

Brad Haas: [00:14:20] So, it's going for a few different things there and, like you said, it's both, you know, removing competition, but also trying to avoid notice. Because really what they want to do is make sure nobody really notices the websites are getting hacked, and nobody, you know, the search engines don't notice that anything strange is going on, they'll just go ahead and index those spam pages and drive the traffic that the hackers want, and then everybody wins I guess.

Dave Bittner: [00:14:48] Well, that's an interesting way to frame it too, because if I'm running a WordPress site that gets infected with BabaYaga, am I likely to know? Are there going to be any performance issues? How will I know that there's a problem, or will I even know there's a problem?

Brad Haas: [00:15:03] I don't think that there would be a way for you to notice, unless you're either running a security product, like Wordfence, or maybe if you're really actively monitoring your performance and search results, then you might notice some of these spam pages starting to show up in the search results for your site. But otherwise, if you're not taking some kind of active measure to really watch for changes to your code, or changes to the pages that your site is generating, or the search results for your site, then I don't think that you'd probably ever notice.

Dave Bittner: [00:15:42] It's interesting, in your research you used the phrase that it's a symbiotic relationship. And I think that's interesting because I can see, if we just sort of put aside the fact that malware is bad, if I'm running my site and someone is doing updates for me, and backups for me, and making sure that my site isn't infected with other malware, the performance of my site hasn't been affected, and I don't even notice that anything's going on here... It's a funny thing to think about, isn't it? Like, do we actually have a problem?

Brad Haas: [00:16:13] It is, it's a very unusual question that I don't think I've seen come up in any of the other malware that I've researched. There is a problem, obviously, because it is someone else using websites that belong to other people, and that's not okay. That's never okay.

Dave Bittner: [00:16:32] Right.

Brad Haas: [00:16:32] And obviously, if something came up that was even less ethical, I'm sure that they would switch to that. You know, if there was some kind of way to use these sites to attack something and make more money that way, I imagine they wouldn't have any qualms about switching to that instead.

Dave Bittner: [00:16:49] Right. So let's not fool ourselves into thinking that they're doing this for anyone's benefit but their own.

Brad Haas: [00:16:55] Right. And the other thing is that the way that they are manipulating search engine ranking is also going to harm other organizations that would be competing, that aren't doing this kind of shady work. So if you have some honest essay-writing service, and you're just writing genuine content to try and promote yourself or whatever, then I think that the spam code that we saw, you know, when we were analyzing it, would probably just roll right over you, and then the hackers win at your expense.

Dave Bittner: [00:17:27] Right. Right. So what are your recommendations for people to protect themselves against this?

Brad Haas: [00:17:33] Well, my first recommendation for anyone using a WordPress site, obviously, is to use a security plugin. I have to recommend Wordfence. I think it's the best out there.

Dave Bittner: [00:17:45] You're completely unbiased, right? (laughs)

Brad Haas: [00:17:48] Right, yes, yes, scientifically. As security professionals, we always talk a lot about defense-in-depth. So, there has to be a broader awareness of security as part of the entire way that you run a website. So, you know, running Wordfence, or whatever security product, is part of it, sure.

Brad Haas: [00:18:09] But there is also, you have to make sure that you use secure password practices, you can't use a weak password on a website, or it will eventually get guessed, you know, the hackers will guess it and will break in.

Brad Haas: [00:18:24] You can't use the same password for your website as you use for any other account. You just can't do that anymore. Maybe, you know, a decade ago that would have been okay or something, but in this age of massive data breaches and password leaks, you just can't do that. So, you know, using a password manager is something that I also really wholeheartedly recommend. If you don't do that already, now is the time to start. And that includes the password that you use to log in and do administration on your website.

Brad Haas: [00:18:57] Another really important thing, obviously, is to keep your website up-to-date. And that includes WordPress, every plugin or theme, just make that part of the life of your website. It's just consistently checking for updates and applying them as soon as possible, because part of the benefit of that is you may notice problems sooner, you know, if your site has been compromised or something, that can help.

Brad Haas: [00:19:20] And the other part is, of course, protecting it in the first place from outdated, maybe vulnerable, plugins you might have. Updating can patch those vulnerabilities and help protect your site.

Dave Bittner: [00:19:35] Our thanks to Brad Haas from Defiant for joining us. The research is titled "BabaYaga: The WordPress Malware That Eats Other Malware."

Dave Bittner: [00:19:44] Thanks to the Hewlett Foundation's Cyber Initiative for sponsoring our show. You can learn more about them at

Dave Bittner: [00:19:52] And thanks to Enveil for their sponsorship. You can find out how they're closing the last gap in data security at

Dave Bittner: [00:20:00] The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. The coordinating producer is Jennifer Eiben, editor is John Petrik, technical editor is Chris Russell, executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.