Linux Malware Spreading Through WordPress Plugins

Installing backdoors within systems has become a prevalent technique among cybercriminals. In fact, such a practice guarantees high success rates as it allows the threat actor to circumvent normal security measures and gain high-level access. The methods vary, and using WordPress Plugins is one of them.

WordPress Plugins Vulnerability

In this particular campaign, threat actors are utilizing over 30 vulnerabilities in different plugins and themes for WordPress.

This malware is very dangerous as it targets 32-bit and 64-bit Linux systems and can obtain command capabilities. What is this attack about? What Plugins are being used? Find out below.

WordPress Plugins – Backdoors to Maliciousness

Vulnerabilities are everywhere. Even the biggest companies in the world can encounter them within their systems. In fact, such flaws and bugs have been exploited in the past to gain access to grand names such as iOS.

Even the old Log4Shell is still in the wind, and cyber criminals are benefiting from it. Now, WordPress is in the mix, as 30 vulnerabilities have been found within over a dozen plugins.

Those who operate websites using WordPress, beware. Once the backdoor takes root, this trojan can take over WordPress sites using a set of hardcoded exploits.

As a result, if a user visits this infected website, any click he/she performs will redirect them to various websites – mainly malicious ones. Here’s what Dr. Web had to say:

Doctor Web has discovered a malicious Linux program that hacks websites based on a WordPress CMS. It exploits 30 vulnerabilities in a number of plugins and themes for this platform.

If sites use outdated versions of such add-ons, lacking crucial fixes, the targeted webpages are injected with malicious JavaScripts.

As a result, when users click on any area of an attacked page, they are redirected to other sites.

Malicious Page

The 30 vulnerabilities found by Dr. Web are exploited in the following plugins:

  • WP-Matomo Integration (WP-Piwik)
  • WordPress ND Shortcodes For Visual Composer
  • WP Live Chat
  • WordPress – Yuzo Related Posts
  • Yellow Pencil Visual Theme Customizer Plugin
  • Easysmtp
  • WP GDPR Compliance Plugin
  • Newspaper Theme on WordPress Access Control (CVE-2016-10972)
  • Thim Core
  • Google Code Inserter
  • Total Donations Plugin
  • Hybrid
  • Post Custom Templates Lite
  • WP Quick Booking Manager
  • Faceboor Live Chat by Zotabox
  • Blog Designer WordPress Plugin
  • WordPress Ultimate FAQ (CVE-2019-17232 and CVE-2019-17233)
  • Coming Soon Page and Maintenance Mode
  • WP Live Chat Support Plugin

As we mentioned, cybercriminals can easily exploit these vulnerabilities. The malware fetches malicious JavaScript from its (C2) server and injects the script into the website. As a result, the attacker gains full control.

There’s More?

If the plugins above are not enough, Dr. Web further investigated this payload to find it targeting more WordPress add-ons:

  • Brizy WordPress Plugin
  • FV Flowplayer Video Player
  • WooCommerce
  • WordPress Coming Soon Page
  • WordPress theme OneTone
  • Simple Fields WordPress Plugin
  • WordPress Delucks SEO plugin
  • Poll, Survey, Form & Quiz Maker by OpinionStage
  • Social Metrics Tracker
  • WPeMatico RSS Feed Fetcher
  • Rich Reviews plugin

Recent studies by Dr. Web show that the Payload is being upgraded regularly. In other words, it’s still active to this moment.

WordPress Plugins – More to Come

When cybercriminals take over websites, they’ll redirect users to various other pages. Unfortunately, this means that there’s more to come in terms of phishing, malware distribution, and malvertising campaigns.

If you’re hosting a website using WordPress, we highly recommend checking if any of the aforementioned plugins are installed. If so, either update them to their latest version or delete them immediately.

Add a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

as-seen-on