New Linux malware found targeting WordPress sites

A white padlock on a dark digital background.
(Image credit:

A new malware variant has been spotted targeting WordPress websites with vulnerable add-ons installed. 

The malware allows threat actors to redirect the visitors to a website of their choosing, whenever they click anywhere on the site. 

Discovered by researchers from Dr.Web, the malware is named Linux.BackDoor.WordPressExploit.1 and is described as a Trojan targeting 32-bit versions of Linux, which can also run on 64-bit versions. 

More versions

The Trojan operates by injecting a malicious JavaScript into vulnerable websites. It does so by exploiting known vulnerabilities in a number of flawed add-ons, such as WP Live Chat Support Plugin, WP Live Chat, Google Code Inserter and WP Quick Booking Manager.

The researchers suspect the malware could have been active for as long as three years, selling traffic, or engaging in arbitrage. 

“The injection is done in such a way that when the infected page is loaded, this JavaScript will be initiated first – regardless of the original contents of the page,” the researchers said. 

An updated version was also subsequently discovered which, besides having a different command & control (C2) server, also exploited flaws in additional add-ons, such as Brizy WordPress Plugin, FV Flowplayer Video Player and WordPress Coming Soon Page.

The report also stated that both versions came with additional features that still haven’t been turned on, including one that allowed threat actors to target admin accounts via brute-force attacks. Hence, it’s highly likely that the attackers planned for additional versions of the Trojan, and extra features, to boot. 

“If such an option is implemented in newer versions of the backdoor, cyber-criminals will even be able to successfully attack some of those websites that use current plugin versions with patched vulnerabilities,” the report adds.

To keep their websites secure, webmasters should make sure their WordPress platform, as well as the add-ons installed, are up-to-date. Also, they should also keep an eye on news regarding the installed updates, especially for those that are free to download.

Via: Infosecurity Magazine

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.