Cybersecurity researchers from Defiant recently spotted a new malware strain targeting WordPress by impersonating an optimization plugin.
The goal of the malware, it was said, was to grant the attackers administrative access to the WordPress website.
While cleaning a website over the summer of 2022, the researchers discovered a plugin with a “professional-looking” opening comment about how it’s a caching tool helping reduce the strain on the server and cut down on page loading times. This choice, the researchers further explained, was deliberate, to make sure web admins don’t suspect much on manual inspection. Furthermore, the plugin is set to exclude itself from the list of active plugins, for the same purpose.
Monetizing compromised websites
The malware is capable of doing a number of things, including creating a “superadmin” account with a hard-coded password; detecting bot traffic to serve them spam content (sometimes erroneously, causing a spike in spam reports from genuine users); replacing content on the site and inserting spam links or buttons (to everyone except site admins so that they don’t realize what’s going on); controlling plugins (remotely activating or deactivating plugins, wiping any traces of its existence, etc.); and remotely activating different malicious functions.
“Taken together, these features provide attackers with everything they need to remotely control and monetize a victim site, at the expense of the site’s own SEO rankings and user privacy,” the researchers explained their findings.
Defiant did not name the threat actor currently distributing the malware, nor the estimated number of infected websites. We also don’t know exactly how the malware is being distributed, but the researchers speculate the attackers are either brute-forcing their way into WP websites and installing the plugin, or using login credentials stolen elsewhere, in earlier attacks. Then, there is always the possibility of other vulnerable plugins being abused to gain access.
Via BleepingComputer