Antivirus vendor Dr. Web has discovered malware that targets WordPress sites running on Linux. The malware consists of two variants and can carry out attacks using outdated plugins. The first variant, Linux.BackDoor.WordPressExploit.1, targets both 32-bit and 64-bit versions of the open-source operating system.
Linux.BackDoor.WordPressExploit.1 is a backdoor controlled remotely by malicious actors. At their command, it can perform the following actions:
- Attacking a particular web page (website);
- Switch to standby mode;
- Closes itself;
- Interrupting the logging of his actions.
“If sites use outdated versions of such plugins that lack crucial fixes, the targeted Web pages are injected with malicious JavaScripts,” Russian security vendor Doctor Web said in a report published last week. “As a result, when users click on any part of an attacked page, they are redirected to other sites.”
The attacks involve a list of known security vulnerabilities in 19 different plugins and themes installed on a WordPress site.
It is also capable of injecting JavaScript code retrieved from a remote server to redirect site visitors to an attacker’s arbitrary website.
Doctor Web says it has discovered a second version of the backdoor, which uses a new command-and-control (C2) domain, as well as an updated list of flaws that includes 11 additional plugins, bringing the total to 30.
The new list of plugins and themes are below –
Note: no versions are listed. So always make sure you use the latest version of plugins and themes.
- WP Live Chat Support
- Yuzo Related Posts
- Yellow Pencil Visual CSS Style Editor
- Easy WP SMTP
- WP GDPR Compliance
- Newspaper(CVE-2016-10972)
- Thim Core
- Smart Google Code Inserter(discontinued as of January 28, 2022)
- Total Donations
- Post Custom Templates Lite
- WP Quick Booking Manager
- Live Chat with Messenger Customer Chat by Zotabox
- Blog Designer
- WordPress Ultimate FAQ(CVE-2019-17232 and CVE-2019-17233)
- WP-Matomo Integration (WP-Piwik)
- ND Shortcodes
- WP Live Chat
- Coming Soon Page and Maintenance Mode
- Hybrid
- Brizy
- FV Flowplayer Video Player
- WooCommerce
- Coming Soon Page & Maintenance Mode
- Onetone
- Simple Fields
- Delucks SEO
- Poll, Survey, Form & Quiz Maker by OpinionStage
- Social Metrics Tracker
- WPeMatico RSS Feed Fetcher, and
- Rich Reviews
Both variants reportedly include a yet-to-be-implemented method of brute-forcing WordPress administrator accounts, although it is not clear whether this is a holdover from an earlier version or a feature that has yet to see the light of day.
“If such an option is implemented in newer versions of the backdoor, cybercriminals will even be able to successfully attack some of those websites using current plugin versions with patched vulnerabilities,” the company said.
Users of WordPress are advised to continue proper maintenance, core updates including third-party plugins and, of course, themes. It is also advised to use strong and unique logins and passwords to secure accounts.
The revelation comes several weeks after Fortinet FortiGuard Labs disclosed another botnet called GoTrim, which is designed to brute-forced self-hosted websites running the WordPress content management system (CMS) to take control of the targeted systems.
Two months ago, Sucuri found that more than 15,000 WordPress sites had been affected as part of a malicious campaign to redirect visitors to fake Q&A portals. The number of active infections currently stands at 9,314.
Sources:
Read Doctor Web’s English article here
Read more about Linux.BackDoor.WordPressExploit.1 here
Read more about Linux.BackDoor.WordPressExploit.2 here
