Surge in Malware Infections Targeting WordPress Websites
/ 3 min read
Quick take - A recent increase in infections of WordPress websites has been linked to a sophisticated PHP reinfector and backdoor malware that exploits vulnerabilities across various plugins, including the ‘Imagify’ plugin, and poses significant security risks by executing arbitrary code, capturing admin credentials, and facilitating ongoing unauthorized access.
Fast Facts
- A surge in infections targeting WordPress sites is linked to a sophisticated PHP reinfector and backdoor malware, affecting sites even without the wpcode plugin.
- The malware reinfects files, embeds malicious code in plugins, and targets critical database tables, allowing attackers to execute arbitrary PHP code and create unauthorized admin users.
- Attackers maintain control through a cron job that runs daily, injecting third-party script URLs into infected sites, redirecting users to scam sites.
- The malware complicates cleanup by deactivating security plugins and erasing detection logs, making it difficult to identify and remove.
- Website owners are advised to adopt proactive security measures, including regular plugin reviews, strong passwords, monitoring for suspicious activity, and utilizing a web application firewall.
Surge in Infections Targeting WordPress Websites
A recent surge in infections targeting WordPress websites has been attributed to a sophisticated PHP reinfector and backdoor malware. Initially, the wpcode plugin was suspected as the primary vector for these infections. However, subsequent investigations revealed that sites lacking this plugin had also been compromised. This indicates a broader vulnerability affecting WordPress websites.
Insidious Malware Operations
The malware’s operation is particularly insidious. It reinfects website files and embeds malicious code into other plugins. Additionally, it targets critical database tables, specifically wp_posts and wp_options. A significant backdoor was identified within the ‘Imagify’ plugin, granting attackers ongoing unauthorized access to infected websites. Once infiltrated, the malware executes arbitrary PHP code on the server, writes this code directly to files, and creates malicious WordPress admin users.
The malware poses a significant threat to site security. It captures WordPress admin login credentials, encodes them, and stores them in a file, facilitating account compromises. To maintain control over compromised sites, the attackers leverage WordPress’s cron system, setting up a cron job that runs every 24 hours. This job retrieves a list of third-party script URLs, which are then injected into the infected site’s web pages, redirecting users to VexTrio scam sites.
Challenges in Cleanup and Prevention
Infected sites also reveal the presence of a malicious admin user with randomly generated hexadecimal names and emails, strategically hidden from the admin panel to evade detection. The malware proliferates by injecting itself into active plugins and WPCode snippets, often disguising its presence to avoid identification. Cleanup efforts pose a challenge, as any remnants of the malware can lead to reinfection, creating a cyclical problem that complicates remediation.
Furthermore, the malware is designed to deactivate popular security plugins by erasing detection logs, obscuring signs of infection. The complexity of this malware strain complicates removal efforts, impacting multiple files and database entries.
Recommended Security Measures
To combat this threat, effective security measures must be implemented, focusing on addressing the vulnerabilities that facilitated the initial malware infiltration. Website owners are urged to adopt proactive security practices, including:
- Regularly reviewing and removing unused plugins
- Creating strong passwords
- Monitoring for suspicious activity
- Implementing two-factor authentication
- Keeping all software updated
- Utilizing a web application firewall
For those who suspect their website may be infected, assistance is available. Experienced security analysts can provide guidance and support in addressing the issue.
Original Source: Read the Full Article Here
