A new and stealthy malware campaign targeting WordPress sites uses a technique called “directory shadowing,” where attackers create real folders that mirror the site’s permalinks to hijack legitimate URLs, according to Security analyst Puja Srivastava from Sucuri. The attack is stealthy because it remains invisible to regular visitors and administrators, with Google showing casino and gambling-related content while the site itself appears normal to the owner.
The attackers place three files inside the hidden folders: index[.]php as the controller, indexx[.]php as a clean copy for regular visitors, and readme[.]txt containing malicious spam content. The malware also checks the User-Agent for terms such as “Googlebot” and serves different content accordingly, printing the readme[.]txt to the browser when a Google-related User-Agent is detected.
To remove the infection, administrators must delete the malicious physical directories that mirror the site’s permalinks and then request a re-index from search engines to restore the site’s reputation, the report notes.