Baba Yaga

Baba Yaga is an entity that haunts the dreams of children and a common threat that parents use when their children misbehave in Slavic countries across Eastern Europe.

But in the world of malware, BabaYaga is a form of malware that can update itself, use antivirus functionality and more. Much like the mythical creature, BabaYaga malware has the potential to haunt Joomla/WordPress or, in fact any PHP site administrators and IT support staff.

Fairy tales, you can see, until you need to face it. I did, recently.

What is BabaYaga?

BabaYaga is a malware variant and the first of a new malware type: malware-destroying malware. It infects WordPress, Drupal, Joomla and generic PHP websites. 

BabaYaga can direct traffic to compromised sites — more accurately, to the hidden pages it contains. These hidden pages then redirect this traffic to affiliate marketing links. If the compromised user ends up purchasing an advertised product, the attackers will make a profit on the sale. But the gain is on the other site too: these sites are gaining SEO juice, stolen from your site. Win-win for everybody, but you.

You may be thinking this is just another kind of WordPress malware and all you have to worry about is changing your password regularly. Guess again: BabaYaga is in a class all its own. In fact, BabaYaga has the unique ability to remove other malware. Once dug in as an infection, it can self-update WordPress to be more effective (some may see this as a positive!) and even clean up after itself. The self-update capability for Joomla wasn't reported as I write this, but who knows!

Discovered by the security researchers responsible for the Wordfence security plugin at Deviant, BabaYaga was so sophisticated and interesting that they released a whitepaper with a deep analysis of it. Why is interesting for someone focused on Joomla - check above, Baba Yaga reportedly can infect Joomla sites too!

BabaYaga exhibits several notable abilities which make it a new force in the world of malware. These abilities include:

  • Detecting and removing malware that has infected a website that BabaYaga has infected — moving the malware playing field from mere proliferation to proliferation within the best possible environment
  • Updating WordPress*
  • Installing WordPress*
  • Self-relocation to avoid detection and mitigation actions
  • Containing files to reinstall itself if it is removed by a legitimate antivirus solution
  • Determining whether a visitor to an infected site is a legitimate, human or a search engine bot— for example, by fetching search engine bot identifiers
  • SEO spam
  • Creating backups then upgrading WordPress *
  • Creating backups, upgrading WordPress, then deleting the backups*
  • Deleting any existing backups
  • Installing backdoors for other malware to install
  • Spreading infection to other websites
  • File uploading (both simple and complex)

The abilities marked with * haven't confirmed on Joomla yet. Aside from the obvious antivirus functionality, it is readily apparent that BabaYaga has an extensive amount of in-built redundancy. This provides attackers with some insurance, as they have several countermoves available should the malware be detected and/or removed from the compromised site.

This malware variant is made up of two separate parts: the backdoor and the spam engine. There is also a command-and-control server, or C2 server, that controls the malware.
And this is the most frightening part - the attacker can take over your hosting account.

The second is the moneyprinting engine: BabaYaga can determine if the site visitor is a human or a search engine bot. If the site visitor is a human, a spam page is rendered with a line of JavaScript at the top. This extra line of code is what redirects traffic to an affiliate page and can make the attackers $15 per conversion.

So, if your site began to behave this way, fasten your seat belt, put your helmet on, and push that button on your laser sword - a tough fight with the dark side of the Force awaiting you.