BabaYaga: The WordPress malware that has anti-malware features

by Julie Splinters - - 2018-06-10

BabaYaga is the malware that generates spam links and redirects to potentially malicious websites

BabaYaga malware image BabaYaga is the WordPress malware that can eliminate other cyber threats.

Cybersecurity researchers at Defiant have recently discovered a new WordPress malware called BabaYaga. According to the analysis this cyber threat is designed to redirect users to potentially dangerous pages and generate spam links among the search results.

Even though experts claim the malware^[1] is not new in the cyberspace, it has caught their attention with numerous features which lead to persistent infection. One of the most noticeable ones is the ability to remove other cyber infections from WordPress.

Unfortunately, BabaYaga is designed to hide its presence effectively. Likewise, even if experienced computer users can detect the malware, regular people would suffer from redirects to shady sites where their PCs can be infected with other potentially unwanted programs (PUPs)^[2].

Explaining the function of the malware

BabaYaga analysis revealed that the virus is programmed to deliver spam content on the victim's website. Usually, the pages contain an excessive amount of keywords that have no fluent meaning. Although, they attract the traffic from the search directory — the targeted audience is students, as scammers offer essay writing services.

The developers of BabaYaga generate profit by popular marketing schemes. In other terms, if the WordPress^[3] site is infected with malware, users who click on it are redirected to the affiliate page. Likewise, spammers receive profit from the traffic brought to the website and the purchases made on that site.

Therefore, it is essential to visit only reliable websites which are not designed to deliver spam content. Users are advised to monitor their online activity and search for any suspicious and untrustworthy signs that might indicate potential danger on the cyberspace.

The list of BabaYaga malware features

Malware researchers point our that BabaYaha is programmed to take every measure possible to stay on the site. Likewise, it has the following features:

Can connect to the C&C server^[4] and download updates or new versions of itself;
Criminals can manually upload files to victim's website;
Immediately infects other sites on the parent directory;
Includes WSO Shell which gives access to the file manager and ability to execute shell commands.

Furthermore, the last but not the least, BabaYaga malware can remove other malicious programs since it cannot operate on the infected WordPress site^[5]:

The author of this malware variant understands that a site infected with malware can be costly. So, to ensure that their infected sites aren't affected by someone else's malware, they have built in the ability to detect other malware and remove it from the site they have infected.

About the author

Julie Splinters - Anti-malware specialist

Julie Splinters is the News Editor of 2-spyware. Her bachelor was English Philology.

Contact Julie Splinters
About the company Esolutions

References

^ Danny Palmer. What is malware? Everything you need to know about viruses, trojans and malicious software. ZDNet. Technology News, Analysis, Comments and Product Reviews.
^ Chris Hoffman. PUPs Explained: What is a “Potentially Unwanted Program”?. How-To Geek. We Explain Technology.
^ WordPress. Wikipedia. The Free Encyclopedia.
^ Mikey Veenstra. BabaYaga: The WordPress Malware That Eats Other Malware. Wordfence. WordPress Security Plugin.
^ Brad Haas. BabaYaga - The Self Healing WordPress Malware. Wordfence. WordPress Security Plugin.