The recent emergence of a new Linux malware is cause for alarm among webmasters and website administrators. The unknown malicious code exploits over 30 plugins to gain backdoor access to WordPress sites. According to cyber security experts, this exploit could be used by hackers for malicious activities ranging from data theft and manipulation to distributed denial of service (DDoS) attacks.
The malware is designed with sophisticated evasion capabilities to bypass most anti-malware solutions. It mainly targets WordPress websites running vulnerable plugins or those not installing the latest patches. This unknown exploit also scans for misconfigured WordPress sites with exposed authentication pages and performs brute-force attacks against them to gain entry into these systems. Once inside, it proceeds to set up backdoor access, which remote attackers can exploit at any time.
The targeted plugins and themes are the following:
Suppose the targeted website runs an outdated and vulnerable version of any of the above plugins. In that case, the malware automatically fetches malicious JavaScript from its command and control (C2) server and injects the script into the website site.
Infected pages act as redirectors to a location of the attacker’s choosing, so the scheme works best on abandoned sites.
These redirections may serve in phishing, malware distribution, and malvertising campaigns to help evade detection and blocking. That said, the operators of the auto-injector might be selling their services to other cybercriminals.
An updated version of the payload also targets the following WordPress add-ons:
Defending against this threat requires admins of WordPress websites to update to the latest available version of the themes and plugins running on the site and replace those no longer developed with supported alternatives.
Using strong passwords and activating the two-factor authentication mechanism should ensure protection against brute-force attacks.
