BleepingComputer reports that more than 20,000 WordPress sites worldwide have been compromised as part of the DollyWay World Domination malware operation that has been ongoing since 2016.
While previous iterations of the DollyWay campaign spread ransomware and banking Trojans, the latest DollyWay v3 campaign targets WordPress sites leveraging vulnerable plugins and themes. The attacks facilitated redirections to fraudulent cryptocurrency, gambling, dating, and sweepstakes sites, an analysis from GoDaddy found.
After initially infiltrating websites using the 'wp_enqueue_script' to enable secondary script loading, DollyWay v3 obtains site visitor referrer data to facilitate Traffic Direction System loading. Then, the attackers choose a trio of random sites to serve as TDS nodes containing concealed JavaScript that redirects to VexTrio or LosPollos scam pages, said GoDaddy researchers.
DollyWay ensures persistence by automating site reinfection following page loads, according to researcher Denis Sinegubko, who also noted that the campaign's obfuscation of installed WPCode and admin users further complicates its removal from impacted websites.
