- Researchers at Dr. Web announced that they have discovered a trojan that exploits outdated WordPress plugins and themes.
- The malware gets malicious JavaScript from a command and control server and injects the script into the website.
- Dr. Web found two versions of the trojan, which is probably being used by hackers for the last three years.
Antivirus vendor Dr. Web published a new report regarding a new Linux malware, which uses vulnerabilities in outdated WordPress plugins and themes to inject malicious JavaScript. The malware targets Linux systems and provides remote command capabilities to its operator. The malware exploits 30 vulnerabilities in those plugins and themes.
Linux.BackDoor.WordPressExploit.1
Dr. Web has named the malware Linux.BackDoor.WordPressExploit.1 in accordance with its antivirus classification. According to the report, upon the operator’s command, it can perform:
- Attack a specified webpage (website)
- Switch to standby mode
- Shut itself down
- Pause logging its actions
Experts also claimed that cybercriminals have been using it for more than three years to carry out attacks and monetize the resale of traffic, or arbitrage. First, the trojan contacts the C&C server to receive the address of the site to infect. Then it tried to exploit vulnerabilities in the following outdated plugins and themes that can be installed on a website:
- WP Live Chat Support Plugin
- WordPress – Yuzo Related Posts
- Yellow Pencil Visual Theme Customizer Plugin
- Easysmtp
- WP GDPR Compliance Plugin
- Newspaper Theme on WordPress Access Control
- Thim Core
- Google Code Inserter
- Total Donations Plugin
- Post Custom Templates Lite
- WP Quick Booking Manager
- Faceboor Live Chat by Zotabox
- Blog Designer WordPress Plugin
- WordPress Ultimate FAQ
- WP-Matomo Integration
- WordPress ND Shortcodes For Visual Composer
- WP Live Chat
- Coming Soon Page and Maintenance Mode
- Hybrid
Once it exploits one of the vulnerabilities found in these plugins and themes, it injects the page with malicious JavaScript, which is downloaded from a remote server. When the page is loaded, this JavaScript is initiated first and whenever a user clicks anywhere on the infected page, they will be transferred to a website, which is chosen by the attacker. It also collects statistics and tracks the overall number of websites attacked.
Dr. Web researchers also found an updated version of the trojan and named it Linux.BackDoor.WordPressExploit.2. The differences between the two versions are the C&C server address, the address of the domain from which the malicious JavaScript is downloaded, and an additional list of exploited vulnerabilities for the following plugins:
- Brizy WordPress Plugin
- FV Flowplayer Video Player
- WooCommerce
- WordPress Coming Soon Page
- WordPress theme OneTone
- Simple Fields WordPress Plugin
- WordPress Delucks SEO plugin
- Poll, Survey, Form & Quiz Maker by OpinionStage
- Social Metrics Tracker
- WPeMatico RSS Feed Fetcher
- Rich Reviews plugin
Dr. Web said,
« With that, both trojan variants have been found to contain unimplemented functionality for hacking the administrator accounts of targeted websites through a brute-force attack, by applying known logins and passwords, using special vocabularies. It is possible that this functionality was present in earlier modifications, or, conversely, that attackers plan to use it for future versions of this malware. If such an option is implemented in newer versions of the backdoor, cybercriminals will even be able to successfully attack some of those websites that use current plugin versions with patched vulnerabilities.
Doctor Web recommends that owners of WordPress-based websites keep all the components of the platform up-to-date, including third-party add-ons and themes, and also use strong and unique logins and passwords for their accounts. »