Discovered by Russian cyber security company Dr.Web, the new Trojan, dubbed Linux.BackDoor.WordPressExploit.1, is a backdoor that can be controlled remotely by bad actors to exploit a wide variety of WordPress CMS vulnerabilities.
“The main functionality of the Trojan is to hack websites based on a WordPress CMS and inject a malicious script into their webpages,” said Dr.Web.
“To do so, it uses known vulnerabilities in WordPress plug-ins and website themes.”
The malware takes advantage of 30 known vulnerabilities across the following 19 plug-ins and themes:
- WP live chat support plug-in
- WordPress – Yuzo-related posts
- YellowPencil visual theme customiser plug-in
- Easysmtp
- WP GDPR compliance plug-in
- Newspaper Theme on WordPress Access Control (vulnerability CVE-2016-10972)
- Thim Core
- Google code inserter
- Total Donations plug-in
- Post Custom Templates Lite
- WP Quick Booking Manager
- Facebook live chat by Zotabox
- Blog Designer WordPress plug-in
- WordPress Ultimate FAQ (vulnerabilities CVE-2019-17232 and CVE-2019-17233)
- WP-Matomo Integration (WP-Piwik)
- WordPress ND Shortcodes for Visual Composer
- WP live chat
- Coming soon page and maintenance mode
- Hybrid
Prior to attacking, it contacts its command and control (C&C) server to obtain the address of the site it is looking to infect. It will then attempt to exploit one of the known vulnerabilities, which are found in outdated versions of plug-ins and themes.
If successful, the malware will then inject the site with dangerous JavaScript, which will take priority in running when the site is loaded. As a result, when a user then clicks anywhere on the page, they will be redirected to the site the attackers specify in the injected script.
Alongside Linux.BackDoor.WordPressExploit.1, Dr.Web has also discovered Linux.BackDoor.WordPressExploit.2. The latter is a modification of the former, using a different address to download the malicious JavaScript, a different C&C server address, and an additional list of exploits. The additional plug-ins are:
- Brizy WordPress plug-in
- FV Flowplayer video player
- WooCommerce
- WordPress coming soon page
- WordPress theme OneTone
- Simple Fields WordPress plug-in
- WordPress Delucks SEO plug-in
- Poll, survey, form and quiz maker by OpinionStage
- Social metrics tracker
- WPeMatico RSS Feed Fetcher
- Rich Reviews plug-in
Both versions collect statistics and have been found to feature the ability to breach administrator accounts through brute force attacks, however, this function has not been implemented. Dr.Web believes that these are features that were present in older versions of the malware, or that they could be potentially rolled out in later versions.
Dr.Web recommends that WordPress website owners keep their plug-ins up to date, and to use strong and unique login details.
Daniel Croft