A new malware variant has been spotted targeting WordPress sites with vulnerable add-ons installed.
malware (Opens in a new tab) It allows threat actors to redirect visitors to a website of their choice, whenever they click anywhere on the site.
Researchers from Dr.Web discovered the malware named Linux.BackDoor.WordPressExploit.1 and described as a Trojan that targets 32-bit versions of Linux, which can also run on 64-bit versions.
More versions
The Trojan works by injecting malicious JavaScript into compromised websites. It does this by exploiting known vulnerabilities in a number of faulty add-ons, such as WP Live Chat Support Plugin, WP Live Chat, Google Code Inserter, and WP Quick Booking Manager.
Researchers suspect the malware may have been active for up to three years, selling traffic, or engaging in arbitrage.
“The injection is done in such a way that the JavaScript is started first when the infected page is loaded – regardless of the original contents of the page,” the researchers said.
An updated version was also later discovered which, besides having a different command and control server (C2), also exploited flaws in additional add-ons, such as Brizy WordPress Plugin, FV Flowplayer Video Player, and WordPress Coming Soon Page.
The report also said that both versions come with additional features that are not yet in play, including a feature that allowed threat actors to target administrator accounts via brute force attacks. Thus, it is very likely that the attackers planned additional Trojan versions and additional features to boot.
“If such an option is implemented in newer versions of the backdoor, cybercriminals will be able to attack some of those sites that use current versions of plugins with patched vulnerabilities,” the report adds.
To keep their websites secure, webmasters should ensure that their WordPress platform, as well as their installed add-ons, are kept up to date. Also, they should also monitor news about installed updates, especially those that can be downloaded for free.
Via: Information Security Journal (Opens in a new tab)