Millions of WordPress Sites Infected by Malware, Here's What you Should Know

Millions of WordPress Sites Infected by Malware, Here's What you Should Know

Recently, researchers at Sophos Security firm have detected a new malware known as Gootloader.

The Threat Response Team at eSentire discovered that they deployed an extensive Drive-By Download Campaign that breached millions of legit sites that use WordPress as their content management system. If you own a WordPress site, this may raise some concerns.

This article will look closely at the Gootloader malware attack and its effects on WordPress sites like yours. The goal is to keep you updated on cyber threats and keep your website safe from possible future attacks.

What Is the New Malware Called Gootloader?

Gootkit malware has been in existence for about 5 or more years, distributing ransomware that encrypts people’s files until they pay a ransom. This recent addition to their family, the Gootloader malware, works by using niche Google searches to infect people’s devices.

The hackers don’t go for random sites but select top sites in specific niches, including healthcare, retail, hotel, music, and other industries, because they believe those sites will rank higher in search results. This way, more visitors to the sites can get infected.  The hackers also targeted sites of English, Korean, and German businesses.

What Is the Effect of the Malware on Your Website?

Gootloader malware attack ensures that it manipulates its targeted websites by manipulating SEO and placing the hacked websites among the top results when someone searches the related question.

The hackers also modify the websites’ code in real-time to capture the right targets from its preferred countries: the US, Germany, and South Korea. For users who search for this answer outside these locations, the same websites are benign and uninfectious.

When targets visit these infected sites, they are directed to a fake forum that pretends to answer their question through a genuine-looking download link. Unsuspecting users who download this file initiate the malware breach on their device.

WordPress’ Response to the Gootloader Attack and How to Clean the Malware

WordPress is currently yet to provide a clear way forward or response about the Gootloader malware attack for its site users. However, the security experts at Sophos have proposed using a ‘comprehensive security solution’ to scan and protect against fileless malware or suspicious activity in your device’s memory to wipe out the malware.

What to Do If Malware Hit Your Website

If you’ve already been hit by malware, these tips will help you remove it from your website and prevent your site from susceptible attacks in the future:

  • Login to your server through SFTP or SSH
  • Create a backup of your website files and pinpoint any recently changed files.
  • Restore suspicious-looking files
  • Open custom files or premium files with a text editor
  • Clear any irregular codes from the files
  • Run a test to see if your website still works well after making the changes

To prevent future malware attacks;

  • Never open a downloaded javascript file if that was not your intended download.
  • Look out for malicious Javascript files on your device, such as AMSI/GootLdr-A, AMSI/Reflect-H or Exec_12a
  • Update your antivirus and WordPress plugins
  • Use Windows Attack Surface Reduction tools to restrict Javascript from launching newly downloaded content.

Posted by David Lukić

David Lukić

David Lukić is an information privacy, security and compliance consultant at The passion to make cyber security accessible and interesting has led David to share all the knowledge he has. 

Related Posts


comments powered by Disqus