BrightPlugins_Logo_Horizontal
Image for New Linux-malware exploits backdoors

New Linux Malware Exploits Backdoors to over 30 Plugins on WordPress sites

Contents

The recent emergence of a new Linux malware is cause for alarm among webmasters and website administrators. The unknown malicious code exploits over 30 plugins to gain backdoor access to WordPress sites. According to cyber security experts, this exploit could be used by hackers for malicious activities ranging from data theft and manipulation to distributed denial of service (DDoS) attacks.

The malware is designed with sophisticated evasion capabilities to bypass most anti-malware solutions. It mainly targets WordPress websites running vulnerable plugins or those not installing the latest patches. This unknown exploit also scans for misconfigured WordPress sites with exposed authentication pages and performs brute-force attacks against them to gain entry into these systems. Once inside, it proceeds to set up backdoor access, which remote attackers can exploit at any time.

The targeted plugins and themes are the following:

  • WP Live Chat Support Plugin
  • WP GDPR Compliance Plugin
  • WordPress – Yuzo Related Posts
  • Yellow Pencil Visual Theme Customizer Plugin
  • Hybrid
  • Easysmtp
  • WP GDPR Compliance Plugin
  • Newspaper Theme on WordPress Access Control (CVE-2016-10972)
  • Thim Core
  • Faceboor Live Chat by Zotabox
  • Google Code Inserter
  • Total Donations Plugin
  • Post Custom Templates Lite
  • WP Quick Booking Manager\
  • Coming Soon Page and Maintenance Mode
  • Faceboor Live Chat by Zotabox
  • Blog Designer WordPress Plugin
  • WordPress Ultimate FAQ (CVE-2019-17232 and CVE-2019-17233)
  • WP-Matomo Integration (WP-Piwik)
  • WordPress ND Shortcodes For Visual Composer
  • WP Live Chat
  • Coming Soon Page and Maintenance Mode

Suppose the targeted website runs an outdated and vulnerable version of any of the above plugins. In that case, the malware automatically fetches malicious JavaScript from its command and control (C2) server and injects the script into the website site.

Infected pages act as redirectors to a location of the attacker’s choosing, so the scheme works best on abandoned sites.

These redirections may serve in phishing, malware distribution, and malvertising campaigns to help evade detection and blocking. That said, the operators of the auto-injector might be selling their services to other cybercriminals.

An updated version of the payload also targets the following WordPress add-ons:

  • Brizy WordPress Plugin
  • FV Flowplayer Video Player
  • WooCommerce
  • WordPress Coming Soon Page
  • WordPress theme OneTone
  • Simple Fields WordPress Plugin
  • FV Flowplayer Video Player
  • WordPress Delucks SEO plugin
  • Poll, Survey, Form & Quiz Maker by OpinionStage
  • Social Metrics Tracker
  • Rich Reviews plugin
  • WPeMatico RSS Feed Fetcher
  • Rich Reviews plugin

Defending against this threat requires admins of WordPress websites to update to the latest available version of the themes and plugins running on the site and replace those no longer developed with supported alternatives.

Using strong passwords and activating the two-factor authentication mechanism should ensure protection against brute-force attacks.

Enjoying this article?
Share it on social media!

Check out another blog post!

Back to all Blog posts
BrightPlugins_Logo_Horizontal
Subscribe to our Newsletter

Subscribe

This field is for validation purposes and should be left unchanged.
Copyright © 2024 All Rights Reserved to Bright Plugins
arrow-leftarrow-right linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram