GoDaddy security researchers are warning against a sophisticated and long-running malware operation known as “DollyWay,” which has compromised over 20,000 WordPress sites worldwide, redirecting unsuspecting visitors to malicious scam sites.
This campaign, which has been active since 2016, has evolved into a highly persistent and monetized attack, leveraging advanced evasion techniques and reinfection strategies.
How DollyWay Works
DollyWay v3, the latest iteration of this malware, exploits n-day vulnerabilities in WordPress plugins and themes to inject malicious scripts into compromised sites. The attack follows a multi-stage process:
- Initial Injection: Attackers inject a script using wp_enqueue_script, dynamically loading additional malicious code.
- Traffic Filtering: The malware collects visitor referrer data and filters traffic using a Traffic Direction System (TDS).
- Redirection: Users who meet specific criteria (not bots, not logged-in admins) are redirected through three randomly selected compromised WordPress sites, ultimately landing on fraudulent sites affiliated with networks like VexTrio and LosPollos.
- Persistence and Reinfection: The malware automatically reinfects sites upon every page load, spreading its PHP code across active plugins and hiding itself within the WPCode plugin.
Indicators of Compromise (IoCs)
Administrators should look for the following signs of infection:
- Obfuscated PHP code injected into WordPress plugins.
- Hidden admin users with 32-character hexadecimal usernames.
- Malicious scripts dynamically loaded from /wp-content/counts.php.
- Traffic redirection to scam pages when clicking on site elements.
- The presence of WPCode snippets containing unauthorized code.
Impact
It’s estimated that DollyWay has infected over 20,000 WordPress sites over the past eight years. The malware has generated millions of fraudulent impressions each month by redirecting legitimate website visitors to scam pages promoting fake dating services, gambling platforms, and cryptocurrency schemes.
This not only erodes user trust in affected websites but can also result in blacklisting by search engines, legal repercussions for site owners, and significant revenue loss for businesses relying on web traffic. Additionally, the persistent reinfection mechanism makes removal difficult, forcing website administrators to implement extensive remediation efforts to regain control over their sites.
Mitigation and Response
The most important step in defending against the DollyWay malware campaign is to regularly update WordPress installations, plugins, and themes. If a plugin has not been updates in a while, it’s best to remove it and seek an alternative. The latest versions typically contain fixes to known vulnerabilities, making a successful attack less likely. Additionally, file modification permissions should be strictly controlled.
If your website becomes infected with DollyWay, you must perform a complete site restoration to remove all infected files and database entries.
