A new form of malicious software has been detected disproportionately affecting WordPress sites with vulnerable add-ons installed. This variant of malware permits persons with bad intentions to redirect any visitor to a website of their preference merely by clicking any area of the page.
Researchers from Dr.Web have uncovered a Trojan, dubbed Linux.BackDoor.WordPressExploit.1, which is specifically designed to target 32-bit versions of Linux and is also capable of running on 64-bit versions.
In this Article
Linux Malware Version
The Trojan exploits known vulnerabilities in a number of plugins, such as WP Live Chat Support Plugin, WP Live Chat, Google Code Inserter and WP Quick Booking Manager, by injecting malicious JavaScript into vulnerable websites. This activity could have been going on for up to three years, with possible motives of selling website traffic or carrying out arbitrage.
The researchers stated that the injection is carried out so that when the compromised page is opened, the JavaScript will be initiated first, irrespective of the page’s original contents.
A revised version was found, leveraging various vulnerabilities in extra extensions, for example, the Brizy WordPress Plugin, FV Flowplayer Video Player and WordPress Coming Soon Page, in addition to a different command & control (C2) server.
Linux Malware Targeting WordPress Sites
A report indicated that the unsuspended version and version with additional features both provided threat actors the ability to target admin accounts with brute-force attacks. Thus, it is probable that the attackers had further variations of the Trojan, with extra features, in store.
If newer versions of the backdoor feature the option, there is a risk that cyber-criminals may be able to breach websites that utilize the latest patch-protected plugin versions, the report states.
Webmasters should ensure their WordPress platform and any add-ons are up-to-date in order to maintain website security. Additionally, they should be mindful of any news or updates related to the free downloads they have installed.