Spam Injector Disguised as License Key in WordPress Website


Here at Sucuri, we clean WordPress websites every day. There are various types of common malware, but when we stumble upon a different scenario, our research team likes to dig deeper and conduct a complete investigation. A license key is a place where a webmaster might not expect to find an infection, however, in this particular case, this is where we found one.
A Spam Injector Resembling a License Key
A client opened a malware removal ticket reporting some weird spam URLs injected onto their WordPress website. After further investigation into the files in the website, we discovered a hidden encoded spam injector malware in the following theme file:
./wp-content/themes/toolbox/functions.php
The attacker formatted the encoded injector to look like a theme’s license key in order to distract the eyes of a less-trained security analyst from suspecting this to be malicious code.
Here is the malware that resembles a license key inside a WordPress theme:
Layers and Layers of Encoding
Not only did the attacker add malware to an “unsuspicious” file, but they also hardly used any encoding to ensure it was well hidden.
The injected code contained a few layers of encoding to further
Source: https://managewp.org/articles/18341/spam-injector-disguised-as-license-key-in-wordpress-website



source https://williechiu40.wordpress.com/2019/01/29/spam-injector-disguised-as-license-key-in-wordpress-website/