Backdoor infections have been discovered on WordPress websites hosted on GoDaddy’s Managed WordPress service, all of which contain the same backdoor payload. MediaTemple, Domain Factory, tsoHost, Heart Internet, 123Reg, and Host Europe Managed WordPress are among the internet service resellers affected by the lawsuit.
The backdoor was discovered by Wordfence on March 11, 2022. Around 298 websites were compromised by the backdoor within 24 hours, 281 of which were hosted on GoDaddy. A 2015 Google search SEO-poisoning malware implanted on the wp-config.php to acquire spam link templates from the C2 that are used to insert malicious websites into search results is infecting all sites.
Instead of the genuine content, the campaign serves pharmaceutical spam templates to visitors of the hijacked websites. The purpose of these templates is to persuade victims to buy fraudulent items, resulting in the loss of money and payment information to the threat actors.
Furthermore, the actors can damage a website’s reputation by changing its content and exposing the breach, although this does not appear to be the actors’ goal at this time. Because this attack occurs on the server rather than the browser, it is more difficult to identify and halt from the user’s perspective. As a result, local internet security programs will not notice anything odd.
The infiltration vector has yet to be identified, so while this appears to be a supply chain attack, it has yet to be validated. GoDaddy was contacted to learn more about this possibility, but no response has yet been received.
In any event, if the website is hosted on GoDaddy’s Managed WordPress platform, one should inspect the wp-config.php file for any backdoor injections. While deleting the backdoor should be the top concern, Wordfence also advises administrators to focus on removing spam search engine results.