Ddos 
Sucuri’s Puja Srivastava recently uncovered a stealthy and complex malware campaign targeting WordPress websites that left no visible trace on the surface. This infection, described as “particularly interesting and complex,” exemplifies the growing trend of multi-stage malware delivery through trusted CMS platforms.
The attackers behind this campaign planted several files across a compromised WordPress site:
- header.php – The main malicious controller and dropper
- man.php – An interface for monitoring and manipulating logs
- count.txt – An IP blacklist and activity tracker
- update.bat – An obfuscated batch script generated dynamically
- psps.zip – A ZIP archive containing the actual Windows Trojan: client32.exe
Each component played a precise role in executing a silent infection flow, from profiling victims to delivering a Remote Access Trojan (RAT) through batch scripting and PowerShell commands.
The header.php file is the central dropper, only activating on POST requests and avoiding repeated infection attempts by checking visitor IPs logged in count.txt.
“The malware logs each visitor’s IP… and avoids serving the batch file twice to the same IP.”
This clever mechanism makes the malware harder to detect during forensic investigations. Once a new IP is detected, header.php dynamically generates a batch file (update.bat) that initiates the full attack sequence.
The update.bat script performs multiple actions to stealthily download and execute the payload:
- Downloads a malicious ZIP file via PowerShell from a remote C2 URL.
- Extracts the archive using the .NET ZipFile API.
- Executes client32.exe, a hidden RAT payload.
- Adds a Windows registry entry to ensure persistence: reg add “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run” /v “Program_Cs1” /t REG_SZ /d “client32.exe” /f
- Deletes forensic evidence like the ZIP file to avoid detection.
The count.txt file acts as both a blacklist and an activity log, recording which IPs have already been targeted to avoid redundancy. Meanwhile, man.php functions as a rudimentary admin panel, allowing the attacker to read, delete, or append to count.txt in real time.
“The attacker can use dedicated buttons to either delete the entire log file… or append new records.”
Once executed, client32.exe establishes a covert C2 connection to: 5.252.178.123:443.
Once executed, client32.exe establishes a covert C2 connection to:Though the internal code of the Trojan wasn’t fully analyzed, its behavior matches that of a Remote Access Trojan (RAT)—stealthy, persistent, and capable of remote command execution.
“The behavior matches common traits of remote access trojans (RATs), including silent execution, registry persistence, and stealthy payload delivery from known malware C2 domains.”
Website administrators must go beyond surface-level checks and implement deep file integrity monitoring, traffic analysis, and server-side malware scanning to catch infections like this one before they compromise visitors.
Donate