Free proxy service found running on top of 2,600+ hacked WordPress sites

WordPress sites hacked and infected with Ngioweb Linux malware; hijacked into commercial proxy service.
Written by Catalin Cimpanu, Contributor

A website offering both free and commercial proxy servers is actually running on top of a giant botnet of hacked WordPress sites, security researchers from Netlab, a network threat hunting unit of Chinese cyber-security giant Qihoo 360, have revealed.

In a report published today, Netlab researchers accused the Free-Socks.in proxy service of masquerading as a front for a criminal operation.

Researchers said that users who would use any of the proxy servers provided by the Free-Socks.in website would actually have their traffic funneled through a network of hacked WordPress sites spread all over the world.

New Linux.Ngioweb malware used to build proxy botnet

These WordPress sites were hacked and infected with a web shell, which acted as a backdoor, and the Linux.Ngioweb malware, which acted as the proxy agent.

Netlab researchers looked closely at the Linux.Ngioweb malware because this was a new strain that had not been seen before. After analyzing it, they said that Linux.Ngioweb contained two separate command and control (C&C) servers.

The first one -- named Stage-1 -- was used to manage all the infected sites (bots). The second set of C&C servers -- named Stage-2 servers -- worked as backconnect proxies between the Free-Socks.in service and the infected sites, funnelling traffic from the service's customers to the hacked WordPress sites, which then relayed it to its final destination.

Ngioweb structure
Image: Netlab

Netlab also said the Linux.Ngioweb malware was actually a Linux port of a Windows malware strain named Win32.Ngioweb, spotted for the first time in August 2018 by Check Point researchers. The Windows version also worked as a proxy bot, being most likely used in a similar fashion.

The only addition to the Linux port, which was spotted for the first time on May 27, three weeks ago, was a DGA (domain generation algorithm) that generated a pre-determined Stage-1 C&C server domain name for each day, to which all the infected sites would report back to.

Taking over the botnet

Netlab researchers said they cracked the DGA and recorded one of the Stage-1 C&C server domains in order to track the botnet's activity.

The Netlab team said that during the time they ran this domain, 2,692 WordPress sites checked in, with almost half located in the US.

Ngioweb botnet
Image: Netlab

All these sites would now need to be disinfected and have the Linux.Ngioweb malware and adjacent web shell removed from their filesystem.

The Netlab team has offered to share a list of infected server IP addresses with other security firms and with relevant law enforcement agencies. Contact details are available in the company's technical report.

HackerOne's top 20 public bug bounty programs

Related malware and cybercrime coverage:

Editorial standards