New Linux Malware Exploits Backdoors to over 30 Plugins on WordPress sites

The recent emergence of a new Linux malware is cause for alarm among webmasters and website administrators. The unknown malicious code exploits over 30 plugins to gain backdoor access to WordPress sites. According to cyber security experts, this exploit could be used by hackers for malicious activities ranging from data theft and manipulation to distributed denial of service (DDoS) attacks.

The malware is designed with sophisticated evasion capabilities to bypass most anti-malware solutions. It mainly targets WordPress websites running vulnerable plugins or those not installing the latest patches. This unknown exploit also scans for misconfigured WordPress sites with exposed authentication pages and performs brute-force attacks against them to gain entry into these systems. Once inside, it proceeds to set up backdoor access, which remote attackers can exploit at any time.

The targeted plugins and themes are the following:

• WP Live Chat Support Plugin
• WP GDPR Compliance Plugin
• WordPress – Yuzo Related Posts
• Yellow Pencil Visual Theme Customizer Plugin
• Hybrid
• Easysmtp
• WP GDPR Compliance Plugin
• Newspaper Theme on WordPress Access Control (CVE-2016-10972)
• Thim Core
• Faceboor Live Chat by Zotabox
• Google Code Inserter
• Total Donations Plugin
• Post Custom Templates Lite
• WP Quick Booking Manager\
• Coming Soon Page and Maintenance Mode
• Faceboor Live Chat by Zotabox
• Blog Designer WordPress Plugin
• WordPress Ultimate FAQ (CVE-2019-17232 and CVE-2019-17233)
• WP-Matomo Integration (WP-Piwik)
• WordPress ND Shortcodes For Visual Composer
• WP Live Chat
• Coming Soon Page and Maintenance Mode

Suppose the targeted website runs an outdated and vulnerable version of any of the above plugins. In that case, the malware automatically fetches malicious JavaScript from its command and control (C2) server and injects the script into the website site.

Infected pages act as redirectors to a location of the attacker’s choosing, so the scheme works best on abandoned sites.

These redirections may serve in phishing, malware distribution, and malvertising campaigns to help evade detection and blocking. That said, the operators of the auto-injector might be selling their services to other cybercriminals.

An updated version of the payload also targets the following WordPress add-ons:

• Brizy WordPress Plugin
• FV Flowplayer Video Player
• WooCommerce
• WordPress Coming Soon Page
• WordPress theme OneTone
• Simple Fields WordPress Plugin
• FV Flowplayer Video Player
• WordPress Delucks SEO plugin
• Poll, Survey, Form & Quiz Maker by OpinionStage
• Social Metrics Tracker
• Rich Reviews plugin
• WPeMatico RSS Feed Fetcher
• Rich Reviews plugin

Defending against this threat requires admins of WordPress websites to update to the latest available version of the themes and plugins running on the site and replace those no longer developed with supported alternatives.

Using strong passwords and activating the two-factor authentication mechanism should ensure protection against brute-force attacks.