A previously unknown Linux malware has been exploiting 30 vulnerabilities in multiple outdated WordPress plugins and themes to inject malicious JavaScript.
According to a report by antivirus vendor Dr. Web, the malware targets both 32-bit and 64-bit Linux systems, giving its operator remote command capabilities.
The main functionality of the trojan is to hack WordPress sites using a set of hardcoded exploits that are run successively, until one of them works.
The targeted plugins and themes are the following:
WP Live Chat Support Plugin
WordPress – Yuzo Related Posts
Yellow Pencil Visual Theme Customizer Plugin
Easysmtp
WP GDPR Compliance Plugin
Newspaper Theme on WordPress Access Control (CVE-2016-10972)
Thim Core
Google Code Inserter
Total Donations Plugin
Post Custom Templates Lite
WP Quick Booking Manager
Faceboor Live Chat by Zotabox
Blog Designer WordPress Plugin
WordPress Ultimate FAQ (CVE-2019-17232 and CVE-2019-17233)
WP-Matomo Integration (WP-Piwik)
WordPress ND Shortcodes For Visual Composer
WP Live Chat
Coming Soon Page and Maintenance Mode
Hybrid
If the targeted website runs an outdated and vulnerable version of any of the above, the malware automatically fetches malicious JavaScript from its command and control (C2) server, and injects the script into the website site.
Infected pages act as redirectors to a location of the attacker’s choosing, so the scheme works best on abandoned sites.
These redirections may serve in phishing, malware distribution, and malvertising campaigns to help evade detection and blocking. That said, the operators of the auto-injector might be selling their services to other cybercriminals.
An updated version of the payload that Dr. Web observed in the wild also targets the following WordPress add-ons:
Brizy WordPress Plugin
FV Flowplayer Video Player
WooCommerce
WordPress Coming Soon Page
WordPress theme OneTone
Simple Fields WordPress Plugin
WordPress Delucks SEO plugin
Poll, Survey, Form & Quiz Maker by OpinionStage
Social Metrics Tracker
WPeMatico RSS Feed Fetcher
Rich Reviews plugin
The new add-ons targeted by the new variant indicate that the development of the backdoor is active at the moment.
Dr. Web also mentions that both variants contain functionality that is currently inactive, which would allow brute-forcing attacks against website administrator accounts.
Defending against this threat requires admins of WordPress websites to update to the latest available version the themes and plugins running on the site and replace those that are no longer developed with alternatives that being supported.
Using strong passwords and activating the two-factor authentication mechanism should ensure protection against brute-force attacks.
