Numerous WordPress Plugins Can Be Exploited by New Linux Malware

WordPress websites are being attacked by a previously unidentified Linux malware strain that compromises weak systems by taking advantage of over twenty plugins and themes vulnerabilities.

In a report released last week, Russian security company Doctor Web stated that “the targeted web pages are injected with malicious JavaScripts” if sites utilize older versions of such add-ons that are missing essential updates. As a result, users who click anywhere on an attacked page are taken to other websites.

In the attacks, a list of 19 different plugins and themes with known security flaws are weaponized and used to launch an implant targeting a specific website to increase the network’s reach. Additionally, it can inject JavaScript code that has been downloaded from a remote server to reroute website users to whatever domain the attacker chooses.

Doctor Web reported the discovery of a second backdoor using a new command-and-control (C2) domain and an updated list of vulnerabilities impacting 11 more plugins, bringing the total to 30.

The targeted plugins were enumerated in the Dr.Web article mentioned above and are shown below.

● WP Live Chat Support
● Yuzo Related Posts
● Yellow Pencil Visual CSS Style Editor
● Easy WP SMTP
● WP GDPR Compliance
● Newspaper (CVE-2016-10972)
● Thim Core
● Smart Google Code Inserter (discontinued as of January 28, 2022)
● Total Donations
● Post Custom Templates Lite
● WP Quick Booking Manager
● Live Chat with Messenger Customer Chat by Zotabox
● Blog Designer
● WordPress Ultimate FAQ (CVE-2019-17232 and CVE-2019-17233)
● WP-Matomo Integration (WP-Piwik)
● ND Shortcodes
● WP Live Chat
● Coming Soon Page and Maintenance Mode
● Hybrid
● Brizy
● FV Flowplayer Video Player
● WooCommerce
● Coming Soon Page & Maintenance Mode
● Onetone
● Simple Fields
● Delucks SEO
● Poll, Survey, Form & Quiz Maker by OpinionStage
● Social Metrics Tracker
● WPeMatico RSS Feed Fetcher
● Rich Reviews

It’s unclear whether the alleged inclusion of a brute-force approach for WordPress administrator accounts is a holdover from an earlier version or a feature that has yet to be deployed.

The company warned cybercriminals could even successfully attack some of those websites that utilize current plugin versions with patched vulnerabilities if such a feature is included in subsequent versions of the backdoor.

It is advised for WordPress users to keep all of the platform’s components, including add-ons and themes from third parties, up to date. To secure their accounts, it is also advisable to choose strong and distinctive logins and passwords.

According to the researchers, once a plugin or theme vulnerability is exploited, “the injection is done in such a way that when the infected page is loaded, this JavaScript will be begun first – regardless of the original contents of the page,” they explained.

Users will be sent to the attackers’ preferred website by clicking anywhere on the compromised website.

The Trojan program keeps track of how many websites are targeted, every instance in which a vulnerability is used. It also tracks the number of times it has successfully used the Facebook messenger from Zotabox and the WordPress Ultimate FAQ plugin. Additionally, all discovered unpatched vulnerabilities are reported to the remote server.

The announcement comes weeks after Fortinet FortiGuard Labs detailed another botnet, GoTrim. This is meant to brute-force self-hosted websites using the WordPress content management system (CMS) to grab control of targeted systems.

More than 15,000 WordPress websites were compromised two months ago, according to Sucuri, as part of a malicious attempt to drive users to phony Q&A portals. There are presently 9,314 active infections.

In June 2022, the GoDaddy-owned website security firm also disclosed details about Parrot, a traffic direction system (TDS) that has been seen attacking WordPress sites with malicious JavaScript that injects further malware onto compromised systems.

Recent Posts

Archives

Categories

Our Supporters

Gold Supporters

By | 2023-01-16T19:42:17+00:00 January 16th, 2023|Tips|Comments Off on Numerous WordPress Plugins Can Be Exploited by New Linux Malware