BURSTA sophisticated multi-stage malware campaign has been discovered targeting WordPress websites, employing an intricate infection chain that delivers Windows trojans to unsuspecting visitors while maintaining complete invisibility to standard security checks.
The malware represents a significant evolution in web-based attack techniques, combining PHP backdoors with advanced evasion mechanisms to establish persistent access to victim systems.
The attack begins with a deceptively clean WordPress installation that shows no obvious signs of compromise.
Unlike traditional malware infections that often display visible defacements or suspicious redirects, this campaign operates entirely beneath the surface, making detection extremely challenging for website administrators and security tools alike.
Sucuri researchers identified this complex threat after investigating what initially appeared to be a routine WordPress compromise.
The malware employs a layered approach involving PHP-based droppers, heavily obfuscated code, IP-based evasion techniques, auto-generated batch scripts, and a malicious ZIP archive containing the final Windows trojan payload identified as client32.exe.
.webp)
The infection mechanism centers around a sophisticated PHP controller system that profiles visitors and enforces strict anti-analysis measures.
The primary component, header.php, functions as the central intelligence hub, implementing IP-based logging to prevent repeated infections from the same source.
This file only responds to POST requests and maintains a blacklist in count.txt to track visiting IP addresses, ensuring each victim receives the payload only once.
Advanced Payload Delivery and Persistence Mechanisms
The malware’s payload delivery system demonstrates remarkable technical sophistication through its dynamic batch file generation capabilities.
When a new victim is identified, header.php constructs a Windows batch script that orchestrates the complete infection process.
This script utilizes PowerShell commands with obfuscated syntax to download the malicious ZIP archive from external servers, specifically targeting the %APPDATA% directory for payload storage.
The persistence mechanism represents one of the most concerning aspects of this campaign. Upon execution, the generated batch script modifies the Windows Registry by adding an entry to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, ensuring the trojan client32.exe automatically launches during system startup.
This registry modification guarantees malware survival across system reboots and user sessions.
The final payload establishes a backdoor connection to the command and control server at 5.252.178.123 on port 443, enabling remote access capabilities typical of advanced persistent threats.
The malware includes cleanup mechanisms that remove initial download traces while deliberately preserving the extracted executable for continued operation.
This campaign highlights the increasing sophistication of WordPress-based malware delivery systems and underscores the critical need for comprehensive security monitoring beyond traditional signature-based detection methods.
Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now
The post Stealthy WordPress Malware Deliver Windows Trojan via PHP Backdoor appeared first on Cyber Security News.