Linux backdoor malware infects WordPress-powered websites
Dr. Web has discovered Linux.BackDoor.WordPressExploit.1, a website hacking tool based on the WordPress CMS. It takes advantage of 30 vulnerabilities in various plugins and themes for WordPress.
The targeted plugins include; WP Live Chat Support Plugin, WordPress – Yuzo Related Posts, Yellow Pencil Visual Theme Customizer Plugin, Easysmtp, WP GDPR Compliance Plugin, Newspaper Theme on WordPress Access Control (vulnerability CVE-2016-10972), Thim Core, Google Code Inserter, Total Donations Plugin, Post Custom Templates Lite, WP Quick Booking Manager, Faceboor Live Chat by Zotabox, Blog Designer WordPress Plugin, WordPress Ultimate FAQ (vulnerabilities CVE-2019-17232 and CVE-2019-17233), WP-Matomo Integration (WP-Piwik), WordPress ND Shortcodes For Visual Composer, WP Live Chat, Coming Soon Page and Maintenance Mode, Hybrid, Brizy WordPress Plugin, FV Flowplayer Video Player, WooCommerce, WordPress Coming Soon Page, WordPress theme OneTone, Simple Fields WordPress Plugin, WordPress Delucks SEO plugin, Poll, Survey, Form & Quiz Maker by OpinionStage, Social Metrics Tracker, WPeMatico RSS Feed Fetcher, and Rich Reviews.
When users attempt to access the abused WordPress page, they are redirected to other sites. The attacker selects the destination site, which may be used for phishing, malware distribution, or other malicious activities.
These redirections may be used to help remain undetected and blocking in phishing, malware distribution, and malvertising campaigns. However, the auto-injector operators may be selling their services to other cybercriminals.
In its post on the subject, Dr.Web also stated that each of these variants contains “unimplemented functionality for hacking the administrator accounts of targeted websites using a brute-force attack—by applying known logins and passwords, using special vocabularies.” Furthermore, if this feature is implemented in future versions of this backdoor malware, even plugins with patched vulnerabilities could be successfully exploited.
Malicious actors remotely control the Trojan and communicate the address of the website to be infected via its command and control (C&C) server. Threat actors can also remotely disable the malware, shut it down, and stop logging its actions.
Dr. Web also mentions that it includes idle features that would enable brute-forcing attacks against website administrator accounts.
To defend against this threat, WordPress website administrators must update the themes and plugins running on the site to the latest available version and swap those that are no longer developed with alternatives that are supported.
The sources for this piece include an article in BleepingComputer.
Watch this news on our Youtube Channel: https://www.youtube.com/watch?v=S-KO8QIcdIk