Researchers Discover New Linux Malware Targeting WordPress Sites

Written by

A previously unknown strain of Linux malware is targeting WordPress based websites, according to research by cybersecurity firm Dr.Web.

Dubbed Linux.BackDoor.WordPressExploit.1, the Trojan targets 32-bit versions of Linux but can also run on 64-bit versions. Its main function is to hack websites based on a WordPress content management system (CMS) and inject a malicious JavaScript into their webpages.

The backdoor launches these attacks by exploiting known vulnerabilities in numerous outdated WordPress plugins and themes that can be installed on a website. These include WP Live Chat Support Plugin, WP Live Chat, Google Code Inserter and WP Quick Booking Manager.

The Trojan is remotely controlled by malicious actors, who communicate the address of the website it is to infect via its command and control (C&C) server. Threat actors are also able to remotely switch the malware to standby mode, shut it down and pause logging its actions.

Dr.Web believes the malicious tool could have been used by cyber-criminals for over three years to carry out such attacks and monetize the resale of traffic, or arbitrage.

Explaining how the process works, the researchers noted that once a plugin or theme vulnerability is exploited, “the injection is done in such a way that when the infected page is loaded, this JavaScript will be initiated first – regardless of the original contents of the page.”

This means that users will be transferred to the attackers’ website of choice by clicking anywhere on the infected webpage.

The Trojan application tracks the number of websites attacked, every case of a vulnerability being exploited and the number of times it has successfully exploited the WordPress Ultimate FAQ plugin and the Facebook messenger from Zotabox. It also informs the remote server about all detected unpatched vulnerabilities.

In addition, the researchers discovered an updated version of the malware, Linux.BackDoor.WordPressExploit.2. This variant has a different C&C server address and domain address from which the malicious JavaScript is downloaded.

It is also able to exploit additional vulnerabilities in a range of plugins, such as Brizy WordPress Plugin, FV Flowplayer Video Player and WordPress Coming Soon Page.

Dr.Web added that both versions of the Trojan contain an “unimplemented” functionality for hacking the administrator accounts of targeted websites through a brute-force attack. This can be achieved by applying known logins and passwords using special vocabularies.

The researchers warned that attackers may be planning to use this functionality for future versions of the malware. “If such an option is implemented in newer versions of the backdoor, cyber-criminals will even be able to successfully attack some of those websites that use current plugin versions with patched vulnerabilities,” they stated.

Dr.Web urged owners of WordPress-based websites to keep all components of their platforms updated, “including third-party add-ons and themes, and also use strong and unique logins and passwords for their accounts.”

With WordPress estimated to be used by around 43% of all websites, this CMS is being heavily targeted by cyber-criminals.

In September 2022, WordPress security-focused company Wordfence published an advisory warning that hackers attempted to exploit a zero-day flaw in a WordPress plugin called BackupBuddy five million times.

A few months earlier, in June 2022, WordPress was forced to update over a million sites to patch a critical vulnerability affecting the Ninja Forms plugin.

What’s hot on Infosecurity Magazine?