A sophisticated malware operation dubbed "DollyWay World Domination" has infected over 20,000 WordPress websites globally since 2016, according to research from GoDaddy's security team. The campaign, now in its third iteration, generates approximately 10 million impressions monthly by redirecting website visitors to fraudulent dating, gambling, cryptocurrency, and sweepstakes pages.
Evolution of a Complex Threat
The malware has undergone notable evolution over its eight-year lifespan. While earlier versions focused on distributing ransomware and banking trojans, DollyWay v3 employs advanced techniques including cryptographically signed data transfers and multiple injection methods across files and databases.
Technical Sophistication
DollyWay v3 operates through a complex infection process:
- Exploits vulnerabilities in WordPress plugins and themes
- Uses a Traffic Direction System to filter users based on location and device
- Redirects traffic through the VexTrio/LosPollos cybercriminal networks
- Removes competing malware from infected sites
- Maintains control by performing WordPress updates
Persistent Reinfection Mechanisms
The malware demonstrates remarkable persistence through:
- Automatic reinfection with every page load
- Injection into all active plugins and WPCode snippets
- Creation of hidden administrator accounts
- Collection of legitimate administrator credentials
- Concealment of the WPCode plugin in the WordPress dashboard
Evasion Tactics
DollyWay employs sophisticated evasion methods:
- Only redirects users after they click on content
- Avoids redirecting logged-in WordPress users
- Bypasses bots and direct visitors without referrers
- Uses multiple infection points to avoid detection
Protection Recommendations
Website administrators should implement these protective measures:
- Maintain current versions of WordPress and all plugins
- Monitor for suspicious administrator accounts
- Conduct regular security scans
- Review website traffic patterns for unusual redirections
The discovery that previously separate malware campaigns were actually connected to DollyWay highlights the sophisticated nature of this ongoing cyber threat to WordPress installations worldwide.