Security researchers at Doctor Web, a security company focused on threat detection and prevention, have discovered a malicious Linux program that targets WordPress sites running outdated and vulnerable plugins and themes.
The malware targets 32-bit versions of Linux, but it is also capable of running on 64-bit versions. It exploits 30 theme and plugin vulnerabilities to inject malicious JavaScript into websites, redirecting visitors to the attacker’s selected website.
The report states that Doctor Webs’ analysis of the application revealed that “it could be the malicious tool that cybercriminals have been using for more than three years to carry out such attacks and monetize the resale of traffic, or arbitrage.” During this time, the tool has been updated to target more exploitable vulnerabilities.
There are two versions of the malware – Linux.BackDoor.WordPressExploit.1 and Linux.BackDoor.WordPressExploit.2. Version 1 seeks to exploit vulnerabilities in popular plugins like WP GDPR Compliance, Easysmtp, WP Live Chat, and a dozen other free and commercial extensions. A few of these have been known to have frequent vulnerabilities and one was closed due to guideline violations but may still be active on some sites.
An updated Version 2 has a different server address for distributing the malicious JavaScript and an additional list of exploited vulnerabilities for a few more widely used plugins, including FV Flowplayer Video Player, Brizy Page Builder, WooCommerce, and more.
Doctor Web’s report also speculates that attackers may have engineered a long game plan that will give them administrative access even after users update to newer (patched) versions of the compromised plugins:
Both trojan variants have been found to contain unimplemented functionality for hacking the administrator accounts of targeted websites through a brute-force attack—by applying known logins and passwords, using special vocabularies. It is possible that this functionality was present in earlier modifications, or, conversely, that attackers plan to use it for future versions of this malware. If such an option is implemented in newer versions of the backdoor, cybercriminals will even be able to successfully attack some of those websites that use current plugin versions with patched vulnerabilities.
Doctor Web published a document with indicators of compromise, detailing hashes, IPs, and domains that the Linux backdoor malware has been using to infect WordPress websites.