A previously unknown Linux malware variant is targeting WordPress-based websites, according to research by cybersecurity firm Dr.Web.
The Trojan, named Linux.BackDoor.WordPressExploit.1, targets 32-bit versions of Linux, but can also run on 64-bit versions. Its main function is to hack websites based on WordPress content management system (CMS) and inject malicious JavaScript into web pages.
Backdoors launch these attacks by exploiting known vulnerabilities in many old WordPress plugins and themes that can be installed on your website. These include WP Live Chat Support Plugin, WP Live Chat, Google Code Inserter and WP Quick Booking Manager.
The Trojan is remotely controlled by a malicious attacker who propagates the addresses of websites to infect through a command and control (C&C) server. Threat actors can also remotely put malware into standby mode, shut it down, and suspend action logging.
Dr.Web believes that cybercriminals may have been using this malicious tool for more than three years to carry out such attacks and resell traffic or monetize arbitrage.
Describing how this process works, the researchers say that when a vulnerability in a plugin or theme is exploited, “when an infected page is loaded, an injection is initiated so that this JavaScript is started first.” page.”
This means that if a user clicks anywhere on an infected webpage, they will be redirected to a website of the attacker’s choosing.
The Trojan application tracks the number of websites attacked, all cases where the vulnerability was exploited, and the number of times the WordPress Ultimate FAQ plugin and Zotabox’s Facebook messenger were successfully exploited. It also notifies remote servers of any unpatched vulnerabilities that are detected.
Additionally, researchers found an updated version of the malware, Linux.BackDoor.WordPressExploit.2. This variant has a different C&C server address and domain address from which malicious JavaScript is downloaded.
It can also exploit additional vulnerabilities in various plugins such as Brizy WordPress Plugin, FV Flowplayer Video Player and WordPress Coming Soon Page.
Dr.Web added that both versions of the Trojan contain “unimplemented” functionality to hack the administrator accounts of targeted websites through brute force attacks. This can be achieved by enforcing known logins and passwords using a special vocabulary.
The researchers warned that the attackers may be planning to use this functionality in future versions of the malware. “If such an option were implemented in a newer version of the backdoor, cybercriminals could attack some of the websites that use the current plugin version with the vulnerabilities patched. even possible,” they said.
Dr.Web advises owners of WordPress-based websites to “keep all components of the platform up to date, including third-party add-ons and themes, and use strong and unique logins and passwords for their accounts.” I strongly demanded that
WordPress is estimated to be used by around 43% of all websites, making this CMS a target for cybercriminals.
In September 2022, Wordfence, a company focused on WordPress security, issued a warning that hackers attempted to exploit a zero-day vulnerability in a WordPress plugin called BackupBuddy five million times.
A few months ago, in June 2022, WordPress was forced to update over 1 million sites to patch a critical vulnerability affecting the Ninja Forms plugin.
