Jump to content
  • New WordPress backdoor creates rogue admin to hijack websites


    Karlston

    • 1 comment
    • 688 views
    • 3 minutes
     Share


    • 1 comment
    • 688 views
    • 3 minutes

    A new malware has been posing as a legitimate caching plugin to target WordPress sites, allowing threat actors to create an administrator account and control the site's activity.

     

    The malware is a backdoor with a variety of functions that let it manage plugins and hide itself from active ones on the compromised websites, replace content, or redirect certain users to malicious locations.

    Fake plugin details

    Analysts at Defiant, the makers of the Wordfence security plugin for WordPress, discovered the new malware in July while cleaning a website.

     

    Taking a closer look at the backdoor, the researchers noticed that it came "with a professional looking opening comment" to disguise as a caching tool, which typically helps reduce server strain and improve page load times.

     

    The decision to mimic such a tool appears deliberate, ensuring it goes unnoticed during manual inspections. Also, the malicious plugin is set to exclude itself from the list of “active plugins” as a means to evade scrutiny.

     

    The malware features the following capabilities:

     

    • User creation – A function creates a user named ‘superadmin’ with a hard-coded password and admin-level permissions, while a second function can remove that user to wipe the trace of the infection

     

    user-create.png

    Creating a rogue admin user on the site (Wordfence)

     

    • Bot detection – When visitors were identified as bots (e.g. search engine crawlers), the malware would serve them different content, such as spam, causing them to index the compromised site for malicious content. As such, admins could see a sudden increase in traffic or reports from users complaining about being redirected to malicious locations.
    • Content replacement – The malware can alter posts and page content and insert spam links or buttons. Website admins are served unmodified content to delay the realization of the compromise.
    • Plugin control – The malware operators can remotely activate or deactivate arbitrary WordPress plugins on the compromised site. It also cleans up its traces from the site’s database, so this activity remains hidden.

     

    plugin-control.png

    Controlling plugin activation/deactivation (Wordfence)

     

    • Remote invocation – The backdoor checks for specific user agent strings, allowing the attackers to remotely activate various malicious functions.

     

    "Taken together, these features provide attackers with everything they need to remotely control and monetize a victim site, at the expense of the site’s own SEO rankings and user privacy," the researchers say in a report.

     

    At the moment, Defiant does not provide any details about the number of websites compromised with the new malware and its researchers have yet to determine the initial access vector.

     

    Typical methods for compromising a website include stolen credentials, brute-forcing passwords, or exploiting a vulnerability in an existing plugin or theme.

     

    Defiant has released a detection signature for its users of the free version of Wordfence and added a firewall rule to protect Premium, Care, and Response users from the backdoor.

     

    Hence, website owners should use strong and unique credentials for admin accounts, keep their plugins up to date, and remove unused add-ons and users.

     

    Source


    User Feedback

    Recommended Comments

    It cannot be ruled out that something in this story is also true, but at the same time, all the given connections point to skillful advertising. Personally, I believe the latter much more than that it is a real problem.


    Although there have always been problems with WordPress, and there are likely to be many of them today. I will not disclose the reason, why it is so, but it is not difficult to guess, why it's so, who knows and understands how WordPress things works.


    Anyway, the places, where you want to ensure security, is not the place to use things like WordPress or its derivatives...

    Link to comment
    Share on other sites




    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...