Cybercriminals hide malicious WordPress plugins in visible places

To gain access to sites based on the WordPress content management system, attackers use malicious plugins with backdoor functions that are hidden in visible place.

According to Sucuri experts, the functionality of some of these plugins, in particular initiatorseo and updrat123, was copied from the extremely popular UpdraftPlus plugin designed for data backup and recovery.

“While their code differs in terms of variable names, the malicious plugins do share a few things in common: they possess a similar structure along with header comments from the popular backup/restore plugin UpdraftPlus. At the time of writing, the UpdraftPlus plugin has more than 2 million active installations and is regularly updated by contributors”, — report researchers from Sucuri company.

It is very easy to create a fake, just use ready-made automated tools or introduce a malicious load, for example, a web shell, into the source code of a legitimate plug-in.

Administrators of a compromised site do not see malicious plugins on the toolbar.

“For those who do not use browsers with special User-Agent strings, by default the plugin does not appear on the toolbar. These lines vary depending on the plugin”, – said Sucuri.

You can detect a malicious plugin using a special GET request with the specified parameters, such as initiationactivity or testingkey. The main task of such plugins is to act as a backdoor on a compromised site and provide the attacker with access to the server, even if the initial attack vector was closed.

Read also: AutoClerk travel bookings are now publicly available

Using a backdoor, attackers upload malicious files to the servers of hacked sites by sending POST requests. These requests contain parameters with the URLs of the download locations, directories for writing files, and the names of the downloaded files.

According to Sucuri experts, attackers download web shells (malicious scripts that provide remote access to the server) to arbitrary places on the servers of hacked sites. In particular, scripts with arbitrary names are downloaded to the root folders and allow cybercriminals to carry out brute force attacks on other sites.