Select Page

Recently, Defiant’s analysts have been tracking a particularly sophisticated malware infection responsible for generating spam links and redirection, while still remaining relatively difficult for victims to detect.

Dubbed “BabaYaga” by our team, this infection is notable for containing code capable of removing its competition. BabaYaga actually has the ability to remove other malware.

While this malware isn’t brand new, it caught our attention with a wide array of features conducive to persistent infection. None of these countermeasures are groundbreaking individually, but taken as a whole they comprise a suite of functionality unusually comprehensive and effective for spam droppers.

In today’s post we are publishing a comprehensive white paper on the functioning and detection of BabaYaga. The paper includes a breakdown of the functions the malware provides, including its ability to maintain WordPress and detect and remove other malware variants. For our industry peers, we have included indicators of compromise in the form of YARA signatures, IPs and hostnames, in an appendix.

This accompanying blog post provides a summary of our findings for WordPress site owners.

images from Wordfence