Security researchers from the web security and protection company Sucuri have discovered that cybercriminals are using malicious plugins, which hide in plain sight and serve as backdoors, to gain access to and maintain a foothold on WordPress sites.
The firm found that two of these fake plugins with backdoor functionality, named initiatorseo or updrat123 by their creators, were observed cloning the functionality of the popular backup and restore WordPress plugin UpdraftPlus.
Fake plugins can easily be created using automated tools or by injecting malicious payloads such as web shells within the source code of legitimate plugins. These malicious plugins also don't show up inside of a compromised website's WordPress dashboard as they were designed to remain out of sight.
- Critical flaw in WordPress live chat discovered
- Hackers publish details on critical Magento flaw
- These are the best website defacement monitoring services
Sucuri's researchers discovered that the plugins will only announce their presence to an attacker if they query the website using a GET request with custom parameters like initiationactivity or testingkey.
Fake WordPress plugins
The main purpose of these fake plugins is to act as backdoors on compromised WordPress sites which even provide attackers with access to the servers after the original infection vector was removed.
The attackers then use these backdoors to upload arbitrary files for malicious purposes to the infected websites' servers using POST requests. These requests contain parameters with information on the download location URL, the path where files should be written and the name under which the files should be dropped.
Sucuri noted that the attackers had also dropped web shells, malicious scripts that provide remote access to the server, in random locations on the compromised sites' servers. Randomly named scripts were also uploaded to the sites' root directories to give the attackers the ability to launch brute-force attacks against other websites.
In a blog post, Sucuri's Denis Sinegubko explained that cleaning only the visible parts of an infection is no longer enough after falling victim to an attack, saying:
“While none of the approaches used by this attack are new, it clearly demonstrates how cleaning only the visible parts of an infection is not enough. Hackers want to maintain access to websites as long as they can. To accomplish this, they upload various backdoors into random files scattered across the whole site. Sometimes backdoors come in the form of WordPress plugins that might not even be visible from the admin interface. Additionally, compromised websites may be used for malicious activity that is completely invisible from outside, including DDoS and brute-force attacks, mailing tons of spam, or cryptomining. Only integrity control of the filesystem and server-side security scans can help detect this kind of malware.”
- Also check out the best antivirus software