Malware that exploits unpatched vulnerabilities in 30 different WordPress plugins has infected hundreds, if not thousands, of sites and may have been in active use for years, according to an article published last week.
The Linux-based malware installs a backdoor that forces infected sites to redirect visitors to malicious sites, according to researchers from security firm Dr.Web said. It is also capable of disabling event logging, going into sleep mode and shutting down. It is installed by exploiting already patched vulnerabilities in plugins that website owners use to add features like live chat or metrics reporting to the core WordPress content management system.
“If sites use outdated versions of these add-ons, lacking crucial fixes, the targeted web pages are injected with malicious JavaScripts,” the Dr. Web researchers wrote. “As a result, when users click on any area of an attacked page, they are redirected to other sites.”
Research such as this one indicate that more than 1,300 sites contain the JavaScript that powers the backdoor. It is possible that some of these sites have removed the malicious code since the last scan. Nevertheless, it provides an indication of the scope of the malware.
Plugins exploited include:
- WP live chat support plugin
- WordPress – Articles related to Yuzo
- Yellow pencil visual theme customization plugin
- easysmtp
- WP GDPR Compliance Plugin
- Log theme on WordPress Access Control (vulnerability CVE-2016-10972)
- Theme Core
- Google code inserter
- Total donations plugin
- Post custom templates Lite
- WP Quick Booking Manager
- Facebook Live Chat by Zotabox
- WordPress blog builder plugin
- WordPress Ultimate FAQ (vulnerabilities CVE-2019-17232 and CVE-2019-17233)
- WP-Matomo integration (WP-Piwik)
- WordPress ND shortcodes for Visual Composer
- WP Live Chat
- Upcoming page and maintenance mode
- Hybrid
- Brizy WordPress Plugin
- FV Flowplayer video player
- WooCommerce
- WordPress coming soon
- OneTone WordPress Theme
- Simple Fields WordPress Plugin
- Delucks WordPress SEO Plugin
- Polls, Surveys, Forms & Quiz Builder by OpinionStage
- Monitoring of social measures
- WPeMatico RSS Feed Collector
- Rich reviews plugin
“If one or more vulnerabilities are successfully exploited, the targeted page is injected with malicious JavaScript that is downloaded from a remote server,” the Dr. Web article explained. With this, the injection is done in such a way that when the infected page is loaded, this JavaScript will be launched first, regardless of the original content of the page. At this point, whenever users click anywhere on the infected page, they will be forwarded to the website the attackers need users to go to.
The JavaScript contains links to a variety of malicious domains, including:
lobbydesires[.]com
lets party3[.]Georgia
deliverystrategies[.]com
gabriellalovecats[.]com
CSS[.]digestcollect[.]com
clone[.]collectfasttracks[.]com
Count[.]trackingstatistics[.]com
The screenshot below shows how the JavaScript appears in the source page of the infected site:
Dr Web
The researchers found two versions of the backdoor: Linux. BackDoor. WordPressExploit.1 and Linux. BackDoor. WordPressExploit.2. They said the malware may have been in use for three years.
WordPress plugins have long been a common way to infect sites. Although the security of the main application is quite robust, many plugins are riddled with vulnerabilities that can lead to infection. Criminals use infected sites to redirect visitors to sites used for phishing, ad fraud, and malware distribution.
People running WordPress sites should ensure that they are using the latest versions of the core software as well as plugins. They should prioritize updating one of the plugins listed above.
0 Comments