New Linux malware found targeting WordPress sites
>
A new malware variant has been spotted targeting WordPress websites with vulnerable add-ons installed.
The malware (opens in new tab) allows threat actors to redirect the visitors to a website of their choice when they click anywhere on the site.
The malware, discovered by Dr.Web researchers, is called Linux.BackDoor.WordPressExploit.1 and is described as a Trojan targeting 32-bit versions of Linux, which can also run on 64-bit versions.
More versions
The Trojan works by injecting malicious JavaScript into vulnerable websites. It does this by exploiting known vulnerabilities in a number of flawed add-ons, such as WP Live Chat Support Plugin, WP Live Chat, Google Code Inserter, and WP Quick Booking Manager.
The researchers suspect the malware could have been active for up to three years, selling traffic or engaging in arbitrage.
“The injection is done in such a way that when the infected page loads, this JavaScript is launched first – regardless of the original content of the page,” the researchers said.
An updated version was also later discovered that not only had a different command & control server (C2), but also exploited bugs in additional add-ons, such as Brizy WordPress Plugin, FV Flowplayer Video Player, and WordPress Coming Soon Page.
The report also stated that both versions included additional features that are still not enabled, including one that allowed malicious parties to attack administrative accounts via brute-force attacks. Therefore, it is very likely that the attackers intended to launch additional versions of the Trojan and additional features.
“If such an option is implemented in newer versions of the backdoor, cybercriminals will be able to successfully attack even some of those websites that use the current plugin versions with patched vulnerabilities,” the report adds.
To keep their websites secure, webmasters need to make sure their WordPress platform and installed add-ons are up to date. They should also keep an eye on the news about the installed updates, especially those that are free to download.
Through: Information security magazine (opens in new tab)