Linux backdoor hacks WordPress sites

Doctor Web has detected a malware for Linux OS that hacks websites based on the WordPress CMS by exploiting 30 vulnerabilities in a number of plug-ins and themes for this platform. If websites use outdated versions of these plugins without the necessary patches, malicious JavaScript scripts are injected into the target web pages. After that, when clicking anywhere on the attacked page, users are redirected to other resources.

Cybercriminals have been targeting WordPress sites for years. Information security experts observe cases when various vulnerabilities of the platform and its components are used to hack Internet resources and inject malicious scripts into them. An analysis of the detected Trojan by Doctor Web specialists showed that it could be the malicious tool that cybercriminals have been using for more than 3 years to carry out similar attacks and earn money by reselling traffic, or arbitrage.

Malicious program named according to Dr.Web classification Linux.BackDoor.WordPressExploit.1is designed to work on devices running 32-bit operating systems of the Linux family, however, it can also function in 64-bit systems. Linux.BackDoor.WordPressExploit.1 is a backdoor that attackers control remotely. At their command, he is able to perform the following actions:

  • attack a given web page (site);

  • switch to standby mode;

  • complete your work;

  • stop logging of completed actions.

The main function of the Trojan is to hack websites based on the WordPress content management system and inject a malicious script into their web pages. To do this, he uses known vulnerabilities in WordPress plugins, as well as in website themes. Before the attack, the Trojan contacts the command and control server and receives from it the address of the web resource that needs to be hacked. Then Linux.BackDoor.WordPressExploit.1 tries in turn to exploit vulnerabilities in outdated versions of the following plugins and themes that can be installed on the site:

  • WP Live Chat Plugin

  • WordPress – Yuzo Related Posts

  • Yellow Pencil Visual Theme Customizer Plugin

  • Easysmtp

  • WP GDPR Compliance Plugin

  • Newspaper Theme on WordPress Access Control (Vulnerability CVE-2016-10972)

  • Thim Core

  • Google Code Inserter

  • Total Donations Plugin

  • Post Custom Templates Lite

  • WP Quick Booking Manager

  • Faceboor Live Chat by Zotabox

  • Blog Designer WordPress Plugin

  • WordPress Ultimate FAQ (vulnerabilities CVE-2019-17232, CVE-2019-17233)

  • WP-Matomo Integration (WP-Piwik)

  • WordPress ND Shortcodes For Visual Composer

  • WP Live Chat

  • Coming Soon Page and Maintenance Mode

  • Hybrid

If one or more vulnerabilities are successfully exploited, malicious JavaScript downloaded from a remote server is injected into the landing page. In this case, the injection occurs in such a way that when the infected page is loaded, this JavaScript will be initiated the very first, regardless of what content was on the page earlier. In the future, when clicking anywhere on the infected page, users will be redirected to the site the attackers need.

An example of an injection in one of the hacked pages:

The Trojan keeps statistics of its work: it keeps track of the total number of attacked sites, all cases of successful exploits, and additionally, the number of successful exploits of vulnerabilities in the WordPress Ultimate FAQ plugin and Facebook messenger* from Zotabox. In addition, it informs the remote server about all detected unpatched vulnerabilities.

Along with the current modification of this Trojan, our experts have also identified its updated version – Linux.BackDoor.WordPressExploit.2. It differs from the original one by the address of the command and control server, the address of the domain from which the malicious script is loaded, as well as an extended list of exploitable vulnerabilities for the following plugins:

  • Brizy WordPress Plugin

  • FV Flowplayer Video Player

  • WooCommerce

  • WordPress Coming Soon Page

  • WordPress theme OneTone

  • Simple Fields WordPress Plugin

  • WordPress Delucks SEO plugin

  • Poll, Survey, Form & Quiz Maker by OpinionStage

  • Social Metric Tracker

  • WPeMatico RSS Feed Fetcher

  • Rich Review plugin

At the same time, unimplemented functionality was found in both versions of the Trojan for hacking the accounts of administrators of attacked websites by brute force (brute force) – selecting logins and passwords from available dictionaries. It can be assumed that this feature was present in earlier modifications, or, conversely, is planned by attackers for future versions of a malicious application. If such an opportunity appears in other versions of the backdoor, cybercriminals will be able to successfully attack even some of those sites that use current versions of plug-ins with closed vulnerabilities.

Doctor Web recommends that site owners based on the CMS WordPress keep all platform components up-to-date, including third-party plugins and themes, and use secure and unique logins and passwords for their accounts.

* The activity of the social network Facebook is prohibited in Russia.

indicators of compromise

More about Linux.BackDoor.WordPressExploit.1

More about Linux.BackDoor.WordPressExploit.2

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *