WordPress sites targeted by new Linux-based Trojan

WordPress-based websites are being targeted by a new form of Linux malware, researchers reveal.

Discovered by Russian cyber security company Dr.Web, the new Trojan, dubbed Linux.BackDoor.WordPressExploit.1, is a backdoor that can be controlled remotely by bad actors to exploit a wide variety of WordPress CMS vulnerabilities.

“The main functionality of the Trojan is to hack websites based on a WordPress CMS and inject a malicious script into their webpages,” said Dr.Web.

“To do so, it uses known vulnerabilities in WordPress plug-ins and website themes.”

============

The malware takes advantage of 30 known vulnerabilities across the following 19 plug-ins and themes:

WP live chat support plug-in
WordPress – Yuzo-related posts
YellowPencil visual theme customiser plug-in
Easysmtp
WP GDPR compliance plug-in
Newspaper Theme on WordPress Access Control (vulnerability CVE-2016-10972)
Thim Core
Google code inserter
Total Donations plug-in
Post Custom Templates Lite
WP Quick Booking Manager
Facebook live chat by Zotabox
Blog Designer WordPress plug-in
WordPress Ultimate FAQ (vulnerabilities CVE-2019-17232 and CVE-2019-17233)
WP-Matomo Integration (WP-Piwik)
WordPress ND Shortcodes for Visual Composer
WP live chat
Coming soon page and maintenance mode
Hybrid

Prior to attacking, it contacts its command and control (C&C) server to obtain the address of the site it is looking to infect. It will then attempt to exploit one of the known vulnerabilities, which are found in outdated versions of plug-ins and themes.

If successful, the malware will then inject the site with dangerous JavaScript, which will take priority in running when the site is loaded. As a result, when a user then clicks anywhere on the page, they will be redirected to the site the attackers specify in the injected script.

Alongside Linux.BackDoor.WordPressExploit.1, Dr.Web has also discovered Linux.BackDoor.WordPressExploit.2. The latter is a modification of the former, using a different address to download the malicious JavaScript, a different C&C server address, and an additional list of exploits. The additional plug-ins are:

Brizy WordPress plug-in
FV Flowplayer video player
WooCommerce
WordPress coming soon page
WordPress theme OneTone
Simple Fields WordPress plug-in
WordPress Delucks SEO plug-in
Poll, survey, form and quiz maker by OpinionStage
Social metrics tracker
WPeMatico RSS Feed Fetcher
Rich Reviews plug-in

Both versions collect statistics and have been found to feature the ability to breach administrator accounts through brute force attacks, however, this function has not been implemented. Dr.Web believes that these are features that were present in older versions of the malware, or that they could be potentially rolled out in later versions.

VIEW ALL

Dr.Web recommends that WordPress website owners keep their plug-ins up to date, and to use strong and unique login details.

Daniel Croft

Born in the heart of Western Sydney, Daniel Croft is a passionate journalist with an understanding for and experience writing in the technology space. Having studied at Macquarie University, he joined Momentum Media in 2022, writing across a number of publications including Australian Aviation, Cyber Security Connect and Defence Connect. Outside of writing, Daniel has a keen interest in music, and spends his time playing in bands around Sydney.

Introducing Cyber Daily, the new name for Cyber Security Connect

Click here to learn all about it

newsletter

Be the first to hear the latest developments in the cyber industry.

WordPress sites targeted by new Linux-based Trojan

Daniel Croft

Introducing Cyber Daily, the new name for Cyber Security Connect

OUR PLATFORMS AND BRANDS

EVENTS AND SUMMITS

PODCASTS

LEARNING AND EDUCATION

MOMENTUM MARKETS NETWORK

LINKS

STAY CONNECTED