We’ve been following an ongoing malware campaign for the past couple of years now. This campaign is renowned for its prompt addition of exploits for newly discovered WordPress theme and plugin vulnerabilities.
Every other week, the attackers introduce new domain names and slightly change the obfuscation of their scripts to prevent detection. For example, last week they started using URLs on the following domains:
* dns.createrelativechanging[.]com (Creation Date: 2019-09-19)
* bes.belaterbewasthere[.]com (Creation Date: 2019-09-21)
To provide more context, you can find additional posts following the evolution of this malware campaign below.