BleepingComputer reports that more than 20,000 WordPress sites around the world have been compromised as part of the DollyWay World Domination malware operation that has been ongoing since 2016.
Despite spreading ransomware and banking trojans in its previous iterations, the latest DollyWay v3 campaign sought to target WordPress sites leveraging vulnerable plugins and themes to facilitate redirections to fraudulent cryptocurrency, gambling, dating, and sweepstakes sites, an analysis from GoDaddy found. After initially infiltrating websites using the 'wp_enqueue_script' that enables secondary script loading, DollyWay v3 obtains site visitor referrer data before facilitating Traffic Direction System loading before choosing a trio of random sites as TDS nodes that contain concealed JavaScript that redirects to VexTrio or LosPollos scam pages, said GoDaddy researchers. Moreover, DollyWay ensures persistence by automating site reinfection following page loads, according to researcher Denis Sinegubko, who also noted that the campaign's obfuscation of installed WPCode and admin users further complicates its removal from impacted websites.
