Previous
Learn about PurpleSec’s fully managed vulnerability management services.
Author: Eva Georgieva / Last Updated: 01/15/2022
Reviewed By: Dalibor Gašić
View Our: Editorial Process
Table Of Contents
A Linux backdoor malware has been discovered that has the capabilities to exploit around 30 WordPress plugins with the goal to inject malicious JavaScript code and make user redirects to harmful, malicious, phishing sites created by the attackers.
The reason why such exploits are possible is the vulnerable WordPress sites are running outdated versions of the plugins and themes.
Due to that, the attackers are able to carry out these attacks since once a user lands on an infected WordPress site, it is immediately redirected to a malicious web page where they:
Dr.Web, a security researcher, discovered the malware Linux.BackDoor.WordPressExploit.1.
This malware attempts to exploit websites through outdated and vulnerable plugins or themes.
Once it is confirmed that the website has a vulnerable plugin installed, it acts as a backdoor in order to insert a malicious JavaScript that is extracted from a remote Command and Control server to the vulnerable website.
From there, once one or several vulnerabilities are successfully exploited, the vulnerable page is injected with harmful JavaScript.
Whenever a user loads the page, the malicious JavaScript is initiated first and a redirection to a malicious site occurs.
A second version of the trojan application, Linux.BackDoor.WordPressExploit, is the Command and Control server address and the domain address from which the JavaScript that is used in the exploit is downloaded.
A total of 30 outdated themes and plugins have been identified and should be updated immediately:
According to the initial research by Doctor Web, version 1 and version 2 of the trojan application have unimplemented functionality which could allow them to conduct brute-force attacks on the administrator’s accounts of the affected websites through crafted username-passwords dictionaries.
This could even possibly allow the attackers to exploit these websites even after the plugin and theme versions are patched.
The remediation and prevention for this type of attack generally consist of 2 steps:
The way to check whether a plugin is outdated is through the WordPress Plugin Directory where you can check the current version of the plugin when it was last updated and if it is still maintained.
Related Articles:
Eva is a security engineer, researcher, and penetration tester with over 5 years of experience working on both red teams and blue teams.
Recent Attacks
Popular Articles
Ransomware Attacks
Preventing Attacks