BabaYaga Malware: WordPress Security Advisory2

Recently, a new type of security vulnerability was discovered infecting sites built with the WordPress content management system. This new type of malware goes by the name BabaYaga (a supernatural forest spirit that flies around in a mortal wielding a pestle) and it has been causing a stir in the WordPress security community.

The group behind the attack -- believed to be Russian hackers — created the self-updating BabaYaga malware in order to generate profit via spamming affiliate links.

The actual malware itself is what is causing a reaction - both in the security and hacking community. BabaYaga destroys other malware in self-interest. WordFence describes Babayaga as the malware that eats other malware, with a wide array of features conducive to persistent infection.

Let's dissect the BabaYaga malware and discover why malware that removes other malware is more dangerous than you probably think it is.

What is BabaYaga Malware?

BabaYaga is redirect malware. It takes over a page, generating spam content that will redirect the user to affiliate phishing websites via embedded code. Of course, this is bad in itself, but the malware is far more advanced than that.

This self-updating malware has two parts to it. First, it takes over WordPress sites, injecting spam content and affiliate links. Then, it creates a backdoor to give the hacker complete control over the infected website.

BabaYaga allows the hacker to manually upload files to the compromised website, as well as gives them access to the file manager and the ability to execute shell commands.

While BabaYaga can infect any PHP driven website, it seems to be heavily focused on WordPress (as evidenced by new versions being released in sequence with WordPress updates). Currently, BabaYaga is able to infect the most updated version of WordPress.

But, what makes BabaYaga so interesting is that it doesn't just take over a website - it protects it.

What Makes BabaYaga so Interesting?

BabaYaga is very good at making sure that its host website doesn't get detected for having malware. The malware will go so far as to update the entire WordPress site to make sure that the blog runs smoothly (i.e., increases its SEO rankings).

Because the malware is injecting hidden pages on the host site that are keyword loaded, making sure that the WordPress site is up-to-date is vital for the hacker.

Once the malware has made sure that everything is up and running smooth, it does something very interesting; it runs a virus scan. See, BabaYaga isn't only malware; it's also an antivirus.

BabaYaga will also remove other malware on the infected website. The reasons for this are two-fold. BabaYaga doesn't want poorly-coded competing malware to prevent it from working (or at the very least preventing pages from loading correctly which would affect earning from affiliate spam,) and this dangerous malware doesn't want the  owners of the infected WordPress sites to detect any malware.

This sophisticated malware has the ability to root itself as the primary malware on a site - completely taking control out of the owner's hands.

This new malware fighting malware is undoubtedly dangerous, but it also marks a further move towards malware sophistication targeting open source software (in specific WordPress websites).

Will future malware pick up on BabaYaga's malware fighting prowess? It makes sense; getting rid of the competition is never a bad thing.

How to Know if You've Been Infected

Since BabaYaga takes over web pages and immediately starts spamming hidden pages with keywords, it can be difficult to detect.

Malware scanners may do the trick, and you may even find it manually. As always, WordPress and other OSS are tricky when it comes to security (the obvious pitfall of OSS.) Confirmation of the BabaYaga malware comes just weeks after news surrounding backdoor vulnerabilities in WordPress and vulnerabilities in plugins like JetPack.

Closing Notes

The fight against malware that infects WordPress websites is a never-ending fight. Because of the open source nature and popularity of WordPress, malware will continue to be developed targeting the platform at a rapid pace. BabaYaga is a new and dangerous malware application that lays the foundation for an entirely new category of malware; self-updating malware that destroys competing malware.

Wordfence recently published a white paper that concisely describes how this new type of malware operates, stating that: “BabaYaga is an emerging threat that is more sophisticated than most malware. It deeply infects a site, spreads to other sites, ensures that the infected site is in good working order and will even remove other malware. It even has the ability to update or reinstall WordPress.”