Understanding the 'DollyWay' Malware Campaign: A Persistent Cyber Threat

Understanding the 'DollyWay' Malware Campaign: A Persistent Cyber Threat

Alex Cipher's Profile Pictire Alex Cipher 6 min read

The ‘DollyWay’ malware campaign has been a formidable force in the cybersecurity landscape since its inception in 2016. Initially identified as “Master134” by CheckPoint researchers in 2018, this campaign has evolved into a sophisticated operation targeting WordPress sites. By leveraging a distributed network of Command and Control (C2) and Traffic Distribution System (TDS) nodes, ‘DollyWay’ redirects unsuspecting visitors to malicious links, monetizing traffic through ad networks like AdsTerra and PropellerAds. The campaign’s ability to adapt and incorporate advanced techniques such as obfuscation and cryptographic verification underscores its complexity and the ongoing challenge it poses to cybersecurity professionals (GoDaddy).

Historical Context of the ‘DollyWay’ Malware Campaign

Origins and Early Development

The ‘DollyWay’ malware campaign traces its origins back to 2016, initially identified under the moniker “Master134” by CheckPoint researchers in 2018. This campaign has evolved significantly over the years, demonstrating increasing sophistication and complexity in its operations. The early iterations of the campaign primarily focused on compromising WordPress sites, leveraging a distributed network of Command and Control (C2) and Traffic Distribution System (TDS) nodes. These nodes were hosted on compromised sites, facilitating the redirection of site visitors to malicious links such as VexTrio and LosPollos. The campaign’s initial focus was on monetizing traffic through ad networks like AdsTerra and PropellerAds (GoDaddy).

Evolution and Sophistication

Over the years, the ‘DollyWay’ campaign has undergone several transformations, with each iteration introducing new techniques and strategies to evade detection and maintain persistence. The latest variant of the malware employs multiple layers of obfuscation and cryptographic verification of malicious payloads, making it increasingly difficult for security researchers to detect and mitigate its effects. The campaign has also incorporated automatic reinfection mechanisms, ensuring that compromised sites remain under the control of the threat actors (GoDaddy).

Infrastructure and Techniques

The infrastructure supporting the ‘DollyWay’ campaign is both robust and adaptable, allowing the threat actors to maintain control over a large number of compromised sites. The campaign utilizes a network of C2 and TDS nodes to manage and distribute its malicious payloads. These nodes are strategically placed on compromised WordPress sites, which serve as the backbone of the operation. The malware’s ability to remove competing malware and update WordPress installations further highlights its sophistication and the threat actors’ commitment to maintaining control over their compromised assets (GoDaddy).

Indicators of Compromise

Identifying the presence of ‘DollyWay’ malware on a compromised site can be challenging due to its use of obfuscation and cryptographic techniques. However, there are several indicators of compromise that can aid in its detection. One such indicator is the presence of the tell-tale string “define(‘DOLLY_WAY’, ‘World Domination’);” in the malware’s code. Additionally, the malware’s file operations, which occur during every page load, can serve as a red flag for security researchers. Monitoring file creation and deletion events, as well as the names of temporary files used by the malware, can provide valuable insights into its presence on a site (GoDaddy).

Campaign Impact and Global Reach

The ‘DollyWay’ malware campaign has had a significant impact on the global cybersecurity landscape, compromising over 20,000 websites worldwide since its inception. The campaign’s ability to adapt and evolve over time has allowed it to remain a persistent threat, with its operators continuously refining their techniques to evade detection and maintain control over compromised sites. The campaign’s global reach and the sophistication of its operations underscore the importance of ongoing vigilance and collaboration among security researchers to combat such threats (GoDaddy).

Master134 and Subsequent Variants

The ‘DollyWay’ campaign’s origins as “Master134” highlight its long-running nature and the continuous evolution of its tactics and techniques. This initial campaign laid the groundwork for subsequent variants, which have introduced new capabilities and expanded the campaign’s reach. The transition from “Master134” to the current ‘DollyWay’ variant demonstrates the threat actors’ ability to adapt to changing security landscapes and incorporate new technologies into their operations (GoDaddy).

Connections to Other Malware Campaigns

Research conducted by GoDaddy Security has uncovered evidence linking the ‘DollyWay’ campaign to other malware operations previously thought to be separate. These connections are based on shared infrastructure, code patterns, and monetization methods, suggesting that a single sophisticated threat actor may be behind multiple campaigns. This revelation highlights the complexity of the threat landscape and the need for comprehensive threat intelligence to identify and mitigate interconnected threats (GoDaddy).

Monetization Strategies

The ‘DollyWay’ campaign’s monetization strategies have evolved alongside its technical capabilities. Initially focused on redirecting traffic to ad networks, the campaign has since expanded its scope to include tech support scams and binary fake browser updates. These diverse monetization methods reflect the threat actors’ adaptability and their ability to exploit different revenue streams to sustain their operations. The campaign’s use of cryptographically signed data transfers further complicates efforts to disrupt its monetization activities (GoDaddy).

Technical Analysis and Detection

Conducting a technical analysis of the ‘DollyWay’ malware is crucial for understanding its behavior and identifying effective mitigation strategies. The malware’s use of obfuscation and cryptographic techniques presents significant challenges for security researchers, necessitating advanced detection methods and tools. By analyzing the malware’s code and behavior, researchers can develop indicators of compromise and detection signatures to identify and neutralize the threat. This ongoing analysis is essential for staying ahead of the threat actors and protecting vulnerable systems from compromise (GoDaddy).

Future Directions and Challenges

As the ‘DollyWay’ campaign continues to evolve, it presents ongoing challenges for cybersecurity professionals and organizations worldwide. The campaign’s sophistication and adaptability require a proactive approach to threat detection and mitigation, with a focus on collaboration and information sharing among security researchers. Future efforts to combat the ‘DollyWay’ campaign will need to address its technical complexity and global reach, leveraging advanced technologies and threat intelligence to stay ahead of the threat actors and protect vulnerable systems from compromise (GoDaddy).

Final Thoughts

The ‘DollyWay’ malware campaign exemplifies the dynamic and evolving nature of cyber threats. Its ability to adapt and persist over time highlights the importance of continuous vigilance and collaboration among cybersecurity professionals. As the campaign continues to evolve, leveraging advanced technologies and threat intelligence will be crucial in combating its impact. The global reach and sophistication of ‘DollyWay’ underscore the need for a proactive approach to threat detection and mitigation, ensuring that vulnerable systems are protected from compromise (GoDaddy).

References

Related Articles