.Bt WordPress Malware Redirects Visitors to Malicious Pharma Sites – Detection & Cleanup

Being widely popular, WordPress is often subjected to malicious hacking campaigns over the internet. These campaigns may vary from one another based on factors like the motive of the hacker, obfuscation used, etc. However, one thing is common among all that the hacked WordPress site is used as a medium for all kinds of malicious purposes.

One such type of malware infection is the .Bt WordPress hack. It is named so because this kind of infection creates files with .bt extension on your WordPress site under the root directory or the “wp-admin” or “wp-admin/css” directory.

Here you will find the causes, symptoms, detection, and removal of the hack. Moreover, we shall also breakdown the workings of the malware for your better understanding. So,

Common Causes Behind .Bt WordPress Hack

Some common causes of the “.Bt WordPress hack” are:

• Outdated and unreputed plugins.
• Buggy themes.
• Outdated PHP version.
• Weak passwords.
• Server Misconfigurations.

Code Analysis of .Bt WordPress Malware

The first confirmation of this infection is the .bt file which contains a list of IP addresses. If you delete this file, it will be regenerated as the infection does not reside in the .bt file. The infection typically resides in WordPress files like:

• wp-load.php
• wp-settings.php
• /wp-content/themes/<some theme>/functions.php
• /wp-includes/functions.php

The malicious code in these files is obfuscated and looks something like this:

As visible from the code, the malware first disables all error messages to avoid suspicion.

Step 1: Downloading the Malware

In the .Bt WordPress hack, the malicious payload does not reside on the server but is downloaded from an external source. To accomplish this, this malware first checks whether the “allow_url_fopen” wrapper of PHP is available. In case, it is not available, the malware proceeds to use the cURL library of PHP to download malware using a function called “get_data_ya()”. The URL from which malicious file was downloaded was hxxp://lmlink1[.]top/lnk/inj[.]php.

Step 2: Obfuscating the Malware

Thereafter, the data downloaded is obfuscated using a simple XOR encryption. This is done in the function “wp_cd()” of the malware which accepts the data and the key as input parameters and returns the output as XOR encrypted.

Step 3: Writing the Malware

Once the encrypted payload is ready, the malware searches for writable subdirectories. If no such directory is found, it tries to write inside the current directory.

The malicious payload which is downloaded is un-encrypted and looks something like this.

Here it is noteworthy that the payload does not contain opening and closing PHP tags which are later on added while writing it to a subdirectory.

Step 4: Executing the Payload

Once the payload is successfully written inside a subdirectory, it is executed using the include() statement of PHP. This payload then creates the .bt files which contain IP addresses of search engine bots. The payload is also used to serve pharma spam as visible in the code given below.

The .bt files are probably used to avoid serving spam to the search engine bots and therefore avoid blacklisting of the site. The payload also accepts malicious commands from the created which are then executed on the infected WordPress site.

Step 5: Deleting the payload

Finally, when the malicious job is over, the malware deletes the files using the unlink() function of PHP to avoid any kind of suspicion. Therefore, this malware stays under the radar for a long time as it does not store the malicious payload but downloads it, uses it and deletes it when the task is over.

How You Can Detect and Clean the .bt Malware?

Method 1: Check for Files with .bt or .r Extensions

As a heuristic test, you can check if any files with the “.bt” or “.r” extensions are present on your server. Use your file manager to search.

Alternatively, login to your server via SSH and simply run the command:

find . -name '*.bt' -print

To further confirm the .Bt WordPress hack, search inside the WordPress files for the malicious code. In the SSH console, run the command:

find . -name "*.php" -exec grep " $ea = '_shaesx_'; $ay = 'get_data_ya'; $ae = 'decode';"'{}'; -print &> list.txt

This command will save the output in the list.txt file. Open the file which contains this malware and remove the malicious code. If you are unsure what is malicious code and what is original file code, visit this link to see malicious code only and remove it accordingly. If you are still unsure, comment out the suspicious code and get help.

Method 2: Check the Core File Integrity

Another method is to check the core file integrity. To do so, log in to your web server via SSH and then:

Step 1: Create a new directory in order to download a fresh copy of WordPress and navigate to it using the commands:

$ mkdir WordPress

$ cd WordPress

Step 2: Download and extract the latest version of WordPress using the commands:

$ wget https://github.com/WordPress/WordPress/archive/<latest version>.tar.gz

$ tar -zxvf <latest version>.tar.gz

Here replace the <latest version> with the latest version of WordPress available i.e. https://github.com/WordPress/WordPress/archive/5.3.tar.gz

Step 3: Now compare the files using the diff command to uncover any suspicious code.

$ diff -r path/to/your/file/wp-load.php /Wordpress/wp-load.php.

Step 4: If you find any malicious code, remove it or get help in removing it.

Astra is here to help!

Astra Security offers an affordable security solution detects and stops the .bt WordPress hack with its Website Protection solution.

Have questions to ask? Shoot them right at us in the comment’s box or chat with a security expert. We promise to reply 🙂

Share this...

Facebook

Pinterest

Twitter

Linkedin