In recent years, the cybersecurity landscape has witnessed a significant rise in sophisticated malware operations. One such operation is “DollyWay,” a long-running campaign that has compromised over 20,000 WordPress sites globally.
This operation is notable for its advanced techniques in maintaining control over infected sites and its sophisticated methods of injecting malware.
The DollyWay malware primarily targets WordPress sites, leveraging a network of compromised sites to redirect visitors to scam pages through traffic broker networks.
.png
)
The operation is tied to VexTrio, a major cybercriminal affiliate network known for using DNS techniques and domain generation algorithms.
Historically, this campaign included payloads such as ransomware and banking trojans, but it now focuses on redirects.
The malware employs a four-stage injection chain designed to evade detection. Initially, it uses WordPress’s wp_enqueue_script function to load a dynamically generated script containing an MD5 hash as a site identifier.
In subsequent stages, it dynamically loads scripts that collect referrer information and inject traffic direction system (TDS) scripts.
These scripts are typically hosted on compromised sites, with URLs like /wp-content/counts.php?cat=&t=.
Researchers at GoDaddy identified the malware’s sophisticated mechanisms, including cryptographic verification of data transfers and automatic reinfection processes.
DollyWay also updates WordPress and removes competing malware to maintain control over compromised sites.
DollyWay’s Infrastructure
DollyWay v3 utilizes a distributed network of C2 and TDS nodes hosted on compromised WordPress sites.
It injects redirect scripts into sites using files like wp-content/counts.php. These nodes act as central command centers, providing the malware with the latest settings and ensuring the persistence of the infection.
The malware updates its node list daily to maintain effectiveness even if some nodes are taken down.
The list currently includes 14 nodes, and the Stage 3 script randomly selects three nodes to ensure redirects occur even if some are unavailable.
For example, the injection pattern for Stage 1 includes a unique hexadecimal string:-
/?&ver=" id="-js">This pattern is used to evade static analysis by making the malicious activity appear generic.
The malware also maintains persistence by disabling security plugins and reinstalling itself every time a page is loaded.
GoDaddy analysts noted that this reinfection process involves randomizing code to evade detection, making removal challenging without taking the site offline.
The operation is highly organized, aiming for long-term control and using VexTrio affiliate networks to monetize traffic.
In addition to its sophisticated reinfection mechanisms, DollyWay injects backdoors into compromised sites.
These backdoors allow for arbitrary PHP code execution, with data integrity verified through cryptographic signatures.
Such advanced techniques highlight the evolving nature of the DollyWay operation, which has adapted over nearly a decade to remain effective in the face of evolving security practices.
The persistence and sophistication of the DollyWay campaign underscore the importance of continuous security monitoring and proactive measures to protect WordPress sites from such threats.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
