Malware Spotlight: What is BabaYaga?

December 18, 2019 by

Greg Belding

Introduction

In traditional Slavic cultures, Baba Yaga is an entity that haunts the dreams of children and a common threat that parents use when their children misbehave. But in the world of malware, BabaYaga is a form of malware that can update itself, use antivirus functionality and more. Much like the mythical creature, BabaYaga malware has the potential to haunt WordPress administrators and IT support staff. 

This article will explore BabaYaga: what it is and how it works. We’ll conclude with a discussion of the need to widely recognize BabaYaga as a new malware type. 

Become a certified reverse engineer!

Get live, hands-on malware analysis training from anywhere, and become a Certified Reverse Engineering Analyst.

Start Learning

What is BabaYaga?

BabaYaga is a malware variant and the first of a new malware type: malware-destroying malware. It infects WordPress, Drupal, Joomla and generic PHP websites. 

The focus of BabaYaga lies in the realm of SEO. BabaYaga can direct traffic to compromised sites — more accurately, to the hidden pages it contains. These hidden pages then redirect this traffic to affiliate marketing links. If the compromised user ends up purchasing an advertised product, the attackers will make a profit on the sale

You may be thinking this is just another kind of WordPress malware and all you have to worry about is changing your password regularly. Guess again: BabaYaga is in a class all its own. In fact, BabaYaga has the unique ability to remove other malware. Once dug in as an infection, it can self-update WordPress (some may see this as a positive!) and even clean up after itself. 

Discovered by the security researchers responsible for the Wordfence security plugin at Deviant, BabaYaga was so sophisticated and interesting that they released a whitepaper with a deep analysis of it. The whitepaper was written to assist WordPress administrators and threat analysts with this emerging type of malware. 

How does BabaYaga work?

As mentioned above, BabaYaga exhibits several notable abilities which make it a new force in the world of malware. These abilities include:

• Detecting and removing malware that has infected a website that BabaYaga has infected — moving the malware playing field from mere proliferation to proliferation within the best possible environment
• Updating WordPress
• Installing WordPress
• Self-relocation to avoid detection and mitigation actions
• Containing files to reinstall itself if it is removed by a legitimate antivirus solution
• Determining whether a visitor to an infected site is a legitimate, human or a search engine bot— for example, by fetching search engine bot identifiers
• SEO spam
• Creating backups then upgrading WordPress
• Creating backups, upgrading WordPress, then deleting the backups
• Deleting any existing backups
• Installing backdoors for other malware to install
• Spreading infection to other websites
• File uploading (both simple and complex)

Aside from the obvious antivirus functionality, it is readily apparent that BabaYaga has an extensive amount of in-built redundancy. This provides attackers with some insurance, as they have several countermoves available should the malware be detected and/or removed from the compromised site.

Anatomy of BabaYaga

This malware variant is made up of two separate parts: the backdoor and the spam engine. There is also a command-and-control server, or C2 server, that controls the malware. 

Backdoor portion

The backdoor portion of this malware can be found in only a few files in different places on the compromised WordPress website. This is done (in part) by disguising malicious file names as mundane, legitimate-sounding names to blend in. For example, ms-menu.php is a malicious file name that appears wholly legitimate. 

This portion of the malware has many capabilities and is what performs the heavy lifting. Just some of the capabilities include:

• Version information
• Simple file upload
• Complex file upload
• PHP code execution
• Self-relocation
• Backups and upgrades
• Malware cleanup

BabaYaga provides several backdoors for its attackers to use, all while making a solid attempt to remain unseen on the compromised WordPress site.

Spam engine

Where the backdoor portion does the leg work, the spam engine accomplishes the purpose of BabaYaga: SEO spam. The portion of the malware downloads malicious files from the C2 server, infects core WordPress files and ensures execution. This portion also:

• Tests if the malware runs during a page visit
• Site rendering without running the malware
• Generates spam templates
• Fetches search engine bot identifiers
• The SEO spam itself (the purpose of the malware)

BabaYaga can determine if the site visitor is a human or a search engine bot. If the site visitor is a human, a spam page is rendered with a line of JavaScript at the top. This extra line of code is what redirects traffic to an affiliate page and can make the attackers $15 per conversion. 

Conclusion

BabaYaga is a newly emerging malware threat that deserves to be widely recognized as a new type of malware: malware-destroying malware. 

It has many unique abilities that other malware does not commonly exhibit all in one package — including antivirus functionality, self-updating capability, determining whether a site visitor is a human or not (which determines how the malware will act upon user interaction) and SEO spam capabilities that explain the malware’s existence. 

In the words of the team that discovered this malware variant: “BabaYaga is an emerging threat that is more sophisticated than most malware.”

Sources

1. BabaYaga - The Self Healing WordPress Malware, Wordfence
2. LOL: BabaYaga WordPress Malware Updates Your Site, Bleeping Computer
3. BabaYaga: The WordPress Malware that Eats Other Malware, Wordfence