Cunning WordPress malware disguises itself as regular code

News
By last updated

Could be a rising trend, suggests security researcher

scammers
(Image credit: Shutterstock / Brazhyk)

Cybersecurity experts have identified a novel approach to disguising WordPress security threats that involves generating malware on the fly with legitimate-looking code.

In a blog post, Ned Andonov, a WordPress security expert at Wordfence, shares details about the simple but effective obfuscation technique, which due to its unique characteristics doesn’t carry any of the usual detectable patterns.

“The code abstraction looked almost perfect, each class method was well commented, the business logic looked reasonable, and the code was following the latest code quality standards,” writes Andonov.

In fact, Andonov admits that the malware-generating code was so well-written that it would take a seasoned security analyst to notice anything suspicious about it.

Malware in code

Breaking down the code, Andonov says that while many of the methods look legitimate, the first thing that struck him as odd were the $indicies variable.

“This function is actually using a standard for loop to generate commonly used suspicious functions while evading detection and is the most obviously obfuscated portion of the code,” writes Andonov.

And that’s not all. The code also extracts compressed malware from inside a PNG image. 

Andonov opines that the malware is professionally written and contains “a collection of remote commands including code execution, updates, and files access.”

Analyzing the psychological underpinnings of the technique used by the attacker, he refers to the work of Nobel-winning psychiatrist Daniel Kahneman, to conclude that a routine gaze at the code wouldn’t trip the sensors of an inexperienced analyst who would have no reason to suspect that the code deserves a closer look. 

“Analysts would also do well to keep their System 2 mind engaged, as Kahneman would put it, when analyzing suspected malware,” concludes Andonov.

Mayank Sharma
Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.

Read more
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
Thousands of WordPress websites hit in new malware attack, here's what we know
Wordpress brand logo on computer screen. Man typing on the keyboard.
Thousands of WordPress sites targeted with malicious plugin backdoor attacks
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
Over 10,000 WordPress sites found showing fake Google browser update pages to spread malware
Trojan
Hackers hide malware into website images to go unnoticed
WordPress on a laptop
Over 20,000 WordPress sites hit by damaging malware campaign
A digital representation of a lock
Security experts are being targeted with fake malware discoveries
Latest in Security
Microsoft
"Another pair of eyes" - Microsoft launches all-new Security Copilot Agents to give security teams the upper hand
Lock on Laptop Screen
Medusa ransomware is able to disable anti-malware tools, so be on your guard
An abstract image of digital security.
Fake file converters are stealing info, pushing ransomware, FBI warns
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Coinbase targeted after recent Github attacks
hacker.jpeg
Key trusted Microsoft platform exploited to enable malware, experts warn
IBM office logo
IBM to provide platform for flagship cyber skills programme for girls
Latest in News
Disney Plus logo with popcorn
You can finally tell Disney+ to stop bugging you about that terrible Marvel show you regret starting
Girl wearing Meta Quest 3 headset interacting with a jungle playset
Latest Meta Quest 3 software beta teases a major design overhaul and VR screen sharing – and I need these updates now
Philips Hue
Philips Hue might be working on a video doorbell, and according to a new report, we just got our first look at it
Microsoft
"Another pair of eyes" - Microsoft launches all-new Security Copilot Agents to give security teams the upper hand
The Samsung Galaxy S25 Edge on display the January 22, 2025 Galaxy Unpacked event.
A fresh Samsung Galaxy S25 Edge leak hints at a 2K display and a titanium frame
Hatch Restore 3 in Putty
You can finally start your day with The Office theme song, and I couldn't be more excited
More about security
An abstract image of digital security.

Fake file converters are stealing info, pushing ransomware, FBI warns
Microsoft

"Another pair of eyes" - Microsoft launches all-new Security Copilot Agents to give security teams the upper hand
The Samsung Galaxy S25 Edge on display the January 22, 2025 Galaxy Unpacked event.

A fresh Samsung Galaxy S25 Edge leak hints at a 2K display and a titanium frame
See more latest
Most Popular
The Samsung Galaxy S25 Edge on display the January 22, 2025 Galaxy Unpacked event.
A fresh Samsung Galaxy S25 Edge leak hints at a 2K display and a titanium frame
Philips Hue
Philips Hue might be working on a video doorbell, and according to a new report, we just got our first look at it
SDUNITED AX835-025FF mini PC
This mini PC with the incredible Strix Halo APU is yet another sign AMD may have given up on big brands for bleeding edge tech
Disney Plus logo with popcorn
You can finally tell Disney+ to stop bugging you about that terrible Marvel show you regret starting
Girl wearing Meta Quest 3 headset interacting with a jungle playset
Latest Meta Quest 3 software beta teases a major design overhaul and VR screen sharing – and I need these updates now
Hatch Restore 3 in Putty
You can finally start your day with The Office theme song, and I couldn't be more excited
Dell Pro Max with GB300
HP and Dell's latest Nvidia powered PCs are likely to be some of the most expensive workstations ever launched
Shape of Russia filled with Russian flag-colored internet codes on a black hacking background
A new wave of blocks in Russia targets VPN apps and Cloudflare subnets
An abstract image of digital security.
Fake file converters are stealing info, pushing ransomware, FBI warns
Microsoft
"Another pair of eyes" - Microsoft launches all-new Security Copilot Agents to give security teams the upper hand