BabaYaga
BabaYaga is a backdoor Trojan that compromises WordPress-based websites for redirecting traffic towards monetized affiliate marketing content. Although it includes several semi-beneficial features, such as updating WordPress and removing competing threats, site admins should respond to it as a high-level security threat. Most anti-malware products should detect and delete BabaYaga from a site's code, as well as block attempted redirects for Web surfers.
The Russian Witch is Conjuring Up New Tricks
Although it's one of Slavic mythology's more colorful characters, the iron-teethed witch, BabaYaga, is getting an equally-memorable introduction into the world of website-compromising software. This new threat is a backdoor Trojan that infects WordPress websites for typically money-making goals but has an exceptionally intricate failsafe system. The extra features in the BabaYaga could make disinfection harder than ever for victims, as well as offering some unexpected side benefits along the way.
BabaYaga divides itself into a backdoor component that lets attackers control the site and conduct countermeasures for persistence, as well as an SEO element that handles the monetary aspects. The latter inserts hidden pages on compromised websites that host it and use Search Engine Optimization (keywords, etc.) for getting traffic redirected to an affiliate marketing service. Similar tactics are well-known aspects of other Trojans' campaigns, such as Miuref's Pay-Per-Click browser hijackings.
All the innovative aspects of BabaYaga that malware experts are outlining lie in its backdoor. Through it, the Trojan and its attacker maintain control over WordPress installations and updates, can remove competing Trojans from the site's code, execute PHP code, and perform file-uploading and downloading operations. It also has a propagation routine, can delete backups (such as uninfected copies of the website), reinstall itself after partial disinfection, and even move its components. This emphasis on redundant self-preservation features makes BabaYaga persistent exceptionally.
Finding the Proper Antimagic for a Hag Hiding in WordPress
Rather than subsisting inside of a chicken-legged hut, as its namesake does, this Trojan compromises only WordPress websites. BabaYaga also has capabilities for dropping other threats, which could create symptoms and security issues well beyond the ones in the previous half of this article. Although there are incidental side benefits in BabaYaga infections, such as automatic WordPress updates, these advantages don't outweigh the numerous, unsafe features.
Casual Web surfers' most likely problems from a BabaYaga website involve redirections towards possibly-irrelevant links and unintentionally funding the threat actor's affiliate ad tactic. However, there also is a possibility of other threats' involvement. Users should consider implementing appropriate security practices around WordPress sites, such as turning off their JavaScript and installing security patches.
For site admins, malware experts recommend scanning the site with appropriate security products and removing BabaYaga thoroughly. Repeated scans could be necessary for preventing BabaYaga's reinstallation.
BabaYaga is a witch that demonstrates the cut-throat nature of the underworld of black hat software fully. While cyber-security teams are a problem for any programming-inclined criminal, so are other crooks – or, in other words, the SEO competition.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.