Wordpress Admins Beware! Fake Cache Plugin that Steals Admin Logins

A sophisticated malware campaign targeting WordPress administrators has been discovered, utilizing a deceptive caching plugin to steal login credentials and compromise website security. 

Security researchers have identified a malicious plugin disguised as “wp-runtime-cache” that specifically targets users with administrative privileges, exfiltrating sensitive authentication data to external servers controlled by cybercriminals.

Fake WordPress Cache Steals Logins

Sucuri reports that the fake caching plugin, identified as “wp-runtime-cache,” employs several deceptive tactics to avoid detection while maintaining persistence on compromised WordPress installations. 

Unlike legitimate caching plugins that typically include multiple PHP and JavaScript files, this malicious variant consists of only a single file: wp-runtime-cache.php.

The plugin exhibits several red flags that distinguish it from authentic software. The plugin description, author information, and URL fields remain suspiciously empty, while legitimate plugins always include vendor identification and support resources. 

Additionally, the code contains heavily obfuscated base64 content and utilizes randomized variable names such as woocomHeic0971 and pbes2PITR0339, including one particularly telling variable named infiltrateDocumentStore0460.

The malware executes on every page load using the WordPress action hook: add_action(‘wp_login’, ‘octopusJson50286’, 10, 2). 

This ensures the credential harvesting function activates whenever users attempt to authenticate through the WordPress admin panel.

The plugin implements a sophisticated role-based targeting system that specifically hunts for high-privilege users. 

Upon login attempts, the malware checks user capabilities against predefined base64-encoded roles: bWFuYWdlX29wdGlvbnM= (manage_options for admin-level access) and ZWRpdF9wYWdlcw== (edit_pages for editor-level access).

When the login credentials match targeted roles, the plugin constructs a data array containing username, password, and user capabilities. 

This sensitive information is then transmitted to an external command-and-control server via WordPress’s built-in wp_remote_post function, sending data to the decoded URL: https://woocommerce-check.com/report-to.

The malicious domain woocommerce-check.com was registered on October 27, 2024, with suspicious registration details showing an Arkansas address but a Hong Kong country code (+852.68584411), indicating potential registration fraud.

Mitigations

The plugin incorporates advanced evasion techniques to remain hidden from administrators. 

It utilizes the action add_action(‘pre_current_active_plugins’, ‘pbes2PITR0339’) to remove itself from the WordPress plugins list, making detection through standard admin interfaces nearly impossible.

The malware includes a hardcoded hash value WsXZjIFxgnLnC5V that allows specific malicious users to bypass the hiding mechanism, presumably enabling attackers to manage their infection while keeping the plugin invisible to legitimate administrators.

WordPress administrators can protect their sites through several security measures. Regular security audits using server-side scanners would detect unauthorized file uploads. 

Implementing two-factor authentication (2FA) or IP restrictions on login pages provides additional protection layers even if credentials are compromised.

Following any suspected compromise, administrators should immediately update WordPress salts in wp-config.php using the WordPress.org Salt Generator, as this prevents attackers from converting hashed passwords back to plain text. 

Regular plugin audits and maintaining updated admin passwords remain essential security practices for preventing such sophisticated attacks.

Speed up and enrich threat investigations with Threat Intelligence Lookup! -> 50 trial search requests