From 508bb081c893052b9817e0a77ef543635e39fc68 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Fri, 8 Jun 2018 15:54:30 +0200 Subject: [PATCH] add BabaYaga Malware --- clusters/tool.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/clusters/tool.json b/clusters/tool.json index f470296..039b36c 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -4272,6 +4272,16 @@ "https://blog.jpcert.or.jp/2018/06/plead-downloader-used-by-blacktech.html" ] } + }, + { + "uuid": "65c0dff4-6b23-11e8-899f-8fcb21ad9649", + "value": "BabaYaga", + "description": "The group behind BabaYaga —believed to be Russian-speaking hackers— uses this malware to inject sites with special keyboards to drive SEO traffic to hidden pages on compromised sites. These pages are then used to redirect users to affiliate marketing links, where if the user purchases advertised goods, the hackers also make a profit.\nThe malware per-se is comprised of two modules —one that injects the spam content inside the compromised sites, and a backdoor module that gives attackers control over an infected site at any time.\nThe intricacies of both modules are detailed in much more depth in this 26-page report authored by Defiant (formerly known as WordFence), the security firm which dissected the malware's more recent versions.\n\"[BabaYaga] is relatively well-written, and it demonstrates that the author has some understanding of software development challenges, like code deployment, performance and management,\" Defiant researchers say. \"It can also infect Joomla and Drupal sites, or even generic PHP sites, but it is most fully developed around Wordpress.\"", + "meta": { + "refs": [ + "https://www.bleepingcomputer.com/news/security/lol-babayaga-wordpress-malware-updates-your-site/" + ] + } } ], "authors": [