News

Cybercriminals hide malicious WordPress plugins in visible places

To gain access to sites based on the WordPress content management system, attackers use malicious plugins with backdoor functions that are hidden in visible place.

According to Sucuri experts, the functionality of some of these plugins, in particular initiatorseo and updrat123, was copied from the extremely popular UpdraftPlus plugin designed for data backup and recovery.

“While their code differs in terms of variable names, the malicious plugins do share a few things in common: they possess a similar structure along with header comments from the popular backup/restore plugin UpdraftPlus. At the time of writing, the UpdraftPlus plugin has more than 2 million active installations and is regularly updated by contributors”, — report researchers from Sucuri company.

It is very easy to create a fake, just use ready-made automated tools or introduce a malicious load, for example, a web shell, into the source code of a legitimate plug-in.

Administrators of a compromised site do not see malicious plugins on the toolbar.

“For those who do not use browsers with special User-Agent strings, by default the plugin does not appear on the toolbar. These lines vary depending on the plugin”, – said Sucuri.

You can detect a malicious plugin using a special GET request with the specified parameters, such as initiationactivity or testingkey. The main task of such plugins is to act as a backdoor on a compromised site and provide the attacker with access to the server, even if the initial attack vector was closed.

Read also: AutoClerk travel bookings are now publicly available

Using a backdoor, attackers upload malicious files to the servers of hacked sites by sending POST requests. These requests contain parameters with the URLs of the download locations, directories for writing files, and the names of the downloaded files.

According to Sucuri experts, attackers download web shells (malicious scripts that provide remote access to the server) to arbitrary places on the servers of hacked sites. In particular, scripts with arbitrary names are downloaded to the root folders and allow cybercriminals to carry out brute force attacks on other sites.

Researchers have also discovered a new generation of malicious plugins that have the functions of not only backdoors, but also cryptocurrency miners.Compromised websites may be used for malicious activity that is completely invisible from outside, including DDoS and brute-force attacks, mailing tons of spam, or cryptomining. Only integrity control of the filesystem and server-side security scans can help detect this kind of malware.
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)
James Brown

Technology news writer and part-time security researcher. Author of how-to articles related to Windows computer issue solving.

Recent Posts

Remove Pbmsoultions pop-up ads (Virus Removal Guide)

Pbmsoultions.com is a domain that tries to trick you into clik to its browser notifications…

3 days ago

Remove Prizestash pop-up ads (Virus Removal Guide)

Prizestash.com is a site that tries to trick you into subscribing to its browser notifications…

3 days ago

Remove Verifiedbreaking pop-up ads (Virus Removal Guide)

Verifiedbreaking.com is a domain that tries to force you into subscribing to its browser notifications…

3 days ago

Remove Themoneyminutes pop-up ads (Virus Removal Guide)

Themoneyminutes.com is a domain that tries to force you into subscribing to its browser notifications…

3 days ago

Remove News-xcidizi pop-up ads (Virus Removal Guide)

News-xcidizi.com is a domain that tries to trick you into clik to its browser notifications…

3 days ago

Remove Everytraffic-flow pop-up ads (Virus Removal Guide)

Everytraffic-flow.com is a domain that tries to trick you into subscribing to its browser notifications…

3 days ago