A newly discovered malicious Linux program has been discovered targeting hundreds of WordPress sites running outdated and vulnerable plugins and themes. The malware targets 32-bit versions of Linux but also has the capability of running on 64-bit versions. It was observed that the malware exploits 30 themes and plugin vulnerabilities to inject malicious JavaScript into the target website, redirecting visitors to the attacker’s selected websites.
There are two versions of the malware:
- BackDoor.WordPressExploit.1
- BackDoor.WordPressExploit.2.
The first version tries to exploit vulnerabilities in popular plugins like WP GDPR Compliance, Easysmtp, WP Live Chat, and a dozen other free and commercial extensions. Some of these plugins have been observed and know to have frequent vulnerabilities. One of the frequent vulnerabilities was closed due to guideline violations, but it is now suspected that it may still be active on some sites. An updated second version has a different server address for distributing the malicious JavaScript and an additional list of exploited vulnerabilities for a few more widely used plugins, including WooCommerce, Brizy Page Builder, FV Flowplayer Video Player, and more.
Security researchers at Doctor Web, a security company focused on threat detection and prevention, state that analysis of the application revealed that “it could be the malicious tool that cybercriminals have been using for more than three years to carry out such attacks and monetize the resale of traffic, or arbitrage.” During this time, the tool has been updated to target more exploitable vulnerabilities.
“If one or more vulnerabilities are successfully exploited, the targeted page is injected with a malicious JavaScript that is downloaded from a remote server,” the Dr Web writeup explained. “With that, the injection is done in such a way that when the infected page is loaded, this JavaScript will be initiated first — regardless of the original contents of the page. When users click anywhere on the infected page, they will be transferred to the website the attackers need users to go to.” They said the malware may have been in use for three years.
RECOMMENDATION
We recommend that admins of enterprise WordPress websites check that all plugins, themes and commercial extensions are immediately updated.
