Recently, the cybersecurity researchers of Sucuri have found that threat actors are conducting a tremendous massive black hat search engine optimization (SEO) campaign. 

However, nearly 15,000 websites redirected visitors to participate in fake Q&A discussion forums in this campaign. Over the course of September and October, the SiteCheck scanner of Sucuri detected over 2,500 redirects to other sites.

Not only this, but the experts have also stated that each and every compromised site contains nearly 20,000 files. All these files were being used as a part of the malicious campaign, which was being carried out by the threat actors, and most of the sites were WordPress.

Malicious ois[.]is Redirects

According to the securi report, After detecting the malware, the experts conducted a brief survey and found that some of the website’s malware infections generally limit themselves to a smaller number of files.

Not only this, but they also limit their footprint so that they can avoid detection and carry out their operations properly. 

A website infected with this malware will, on average, have over 100 files infected; that’s why this malware is completely different from others.

Common Infected Files

This malware is most commonly found infecting core files of WordPress, and it has also been found to infect “.php” files that were created by unrelated malware campaigns.

The following is a list of the top 10 most commonly infected files:-

  • ./wp-signup.php
  • ./wp-cron.php
  • ./wp-links-opml.php
  • ./wp-settings.php
  • ./wp-comments-post.php
  • ./wp-mail.php
  • ./xmlrpc.php
  • ./wp-activate.php
  • ./wp-trackback.php
  • ./wp-blog-header.php

Domains Targeted