A brand new malware marketing campaign concentrating on WordPress websites employs a malicious plugin disguised as a safety instrument to trick customers into putting in and trusting it.
In line with Wordfence researchers, the malware gives attackers with persistent entry, distant code execution, and JavaScript injection. On the identical time, it stays hidden from the plugin dashboard to evade detection.
Wordfence first found the malware throughout a web site cleanup in late January 2025, the place it discovered a modified ‘wp-cron.php’ file, which creates and programmatically prompts a malicious plugin named ‘WP-antymalwary-bot.php.’
Different plugin names used within the marketing campaign embrace:
- addons.php
- wpconsole.php
- wp-performance-booster.php
- scr.php
If the plugin is deleted, wp-cron.php re-creates and reactivates it robotically on the subsequent web site go to.
Missing server logs to assist establish the precise an infection chain, Wordfence hypothesizes the an infection happens by way of a compromised internet hosting account or FTP credentials.
Not a lot is thought concerning the perpetrators, although the researchers famous that the command and management (C2) server is positioned in Cyprus, and there are traits just like a June 2024 provide chain assault.
As soon as lively on the server, the plugin performs a self-status test after which provides the attacker administrator entry.
“The plugin gives instant administrator entry to risk actors by way of the emergency_login_all_admins operate,” explains Wordfence in its writeup.
“This operate makes use of the emergency_login GET parameter with a purpose to enable attackers to acquire administrator entry to the dashboard.”
“If the right cleartext password is supplied, the operate fetches all administrator consumer data from the database, picks the primary one, and logs the attacker in as that consumer.”
Subsequent, the plugin registers an unauthenticated customized REST API route that permits the insertion of arbitrary PHP code into all lively theme header.php recordsdata, clearing of plugin caches, and different instructions processed by way of a POST parameter.
An up to date model of the malware may also inject base64-decoded JavaScript into the location’s
part, doubtless for serving guests advertisements, spam, or redirecting them to unsafe websites.
Other than file-based indicators just like the listed plugins, web site house owners ought to scrutinize their ‘wp-cron.php’ and ‘header.php’ recordsdata for sudden additions or modifications.
Entry logs containing ’emergency_login,’ ‘check_plugin,’ ‘urlchange,’ and ‘key’ also needs to function purple flags, warranting additional investigation.
