Article Details
Scrape Timestamp (UTC): 2023-10-12 09:17:56.262
Source: https://thehackernews.com/2023/10/researchers-uncover-malware-posing-as.html
Original Article Text
Click to Toggle View
Researchers Uncover Malware Posing as WordPress Caching Plugin. Cybersecurity researchers have shed light on a new sophisticated strain of malware that masquerades a WordPress plugin to stealthily create administrator accounts and remotely control a compromised site. "Complete with a professional looking opening comment implying it is a caching plugin, this rogue code contains numerous functions, adds filters to prevent itself from being included in the list of activated plugins, and has pinging functionality that allows a malicious actor to check if the script is still operational, as well as file modification capabilities," Wordfence said. The plugin also offers the ability to activate and deactivate arbitrary plugins on the site remotely as well as create rogue admin accounts with the username superadmin and a hard-coded password. In what's seen as an attempt to erase traces of compromise, it features a function named "_pln_cmd_hide" that's designed to remove the superadmin account when it's no longer required. Some of the other notable functions of the malware include the ability to remotely activate various malicious functions, alter posts and page content and inject spam links or buttons, and cause search engine crawlers to index dubious content so as to redirect site visitors to sketchy sites. "Taken together, these features provide attackers with everything they need to remotely control and monetize a victim site, at the expense of the site's own SEO rankings and user privacy," researcher Marco Wotschka said. "Remote plugin activation and admin user creation and deletion as well as conditional content filtering allow this backdoor to evade easy detection by the inexperienced user." The scale of the attacks and the exact initial intrusion vector used to breach the sites are currently unknown. The disclosure comes as Sucuri revealed that more than 17,000 WordPress websites were compromised in the month of September 2023 with Balada Injector malware to add malicious plugins and create rogue blog administrators.
Daily Brief Summary
Cybersecurity investigators have discovered a complex new form of malware that disguises itself as a WordPress plugin. The malware is capable of clandestinely creating administrator accounts and taking control of compromised sites.
Named by Wordfence, the plugin is sophisticated and professionally designed, including features that prevent it from being listed among activated plugins.
The malware provides attackers the ability to remotely activate and deactivate plugins on a compromised site, as well as create rogue admin accounts with preset, hard-coded credentials.
Functions of the malware also include the ability to remotely activate malicious actions, modify posts and page content, inject spam links or buttons, and manipulate search engine crawlers.
The researchers noted that the scale of the attacks and the initial intrusion vector used to compromise the sites are currently unknown.
Sucuri stated that over 17,000 WordPress websites were compromised in September 2023, with Balada Injector malware being used to add malicious plugins and create unauthorised blog administrators.