Jump to content
  • New Linux malware uses 30 plugin exploits to backdoor WordPress sites

    alf9872000

    • 398 views
    • 3 minutes
     Share


    • 398 views
    • 3 minutes

    A previously unknown Linux malware has been exploiting 30 vulnerabilities in multiple outdated WordPress plugins and themes to inject malicious JavaScript.

     

    According to a report by antivirus vendor Dr. Web, the malware targets both 32-bit and 64-bit Linux systems, giving its operator remote command capabilities.

     

    The main functionality of the trojan is to hack WordPress sites using a set of hardcoded exploits that are run successively, until one of them works.

     

    The targeted plugins and themes are the following:

     

    • WP Live Chat Support Plugin
    • WordPress – Yuzo Related Posts
    • Yellow Pencil Visual Theme Customizer Plugin
    • Easysmtp
    • WP GDPR Compliance Plugin
    • Newspaper Theme on WordPress Access Control (CVE-2016-10972)
    • Thim Core
    • Google Code Inserter
    • Total Donations Plugin
    • Post Custom Templates Lite
    • WP Quick Booking Manager
    • Faceboor Live Chat by Zotabox
    • Blog Designer WordPress Plugin
    • WordPress Ultimate FAQ (CVE-2019-17232 and CVE-2019-17233)
    • WP-Matomo Integration (WP-Piwik)
    • WordPress ND Shortcodes For Visual Composer
    • WP Live Chat
    • Coming Soon Page and Maintenance Mode
    • Hybrid

     

    If the targeted website runs an outdated and vulnerable version of any of the above, the malware automatically fetches malicious JavaScript from its command and control (C2) server, and injects the script into the website site.

     

    website.png

    Injected redirection code (Dr. Web)

     

    Infected pages act as redirectors to a location of the attacker's choosing, so the scheme works best on abandoned sites.

     

    These redirections may serve in phishing, malware distribution, and malvertising campaigns to help evade detection and blocking. That said, the operators of the auto-injector might be selling their services to other cybercriminals.

     

    An updated version of the payload that Dr. Web observed in the wild also targets the following WordPress add-ons:

     

    • Brizy WordPress Plugin
    • FV Flowplayer Video Player
    • WooCommerce
    • WordPress Coming Soon Page
    • WordPress theme OneTone
    • Simple Fields WordPress Plugin
    • WordPress Delucks SEO plugin
    • Poll, Survey, Form & Quiz Maker by OpinionStage
    • Social Metrics Tracker
    • WPeMatico RSS Feed Fetcher
    • Rich Reviews plugin

     

    The new add-ons targeted by the new variant indicate that the development of the backdoor is active at the moment.

     

    Dr. Web also mentions that both variants contain functionality that is currently inactive, which would allow brute-forcing attacks against website administrator accounts.

     

    Defending against this threat requires admins of WordPress websites to update to the latest available version the themes and plugins running on the site and replace those that are no longer developed with alternatives that being supported.

     

    Using strong passwords and activating the two-factor authentication mechanism should ensure protection against brute-force attacks.

     


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...