A previously unknown strain of Linux malware is targeting WordPress sites by exploiting vulnerabilities in over two dozen plugins and themes to compromise vulnerable systems.
The attacks involve weaponizing a list of known security vulnerabilities in 19 plugins and themes that are likely installed on a WordPress website, and deploying an implant that can target a specific website to expand the network.
Doctor Web reported discovering a second variant of the backdoor, which employs a new command-and-control (C2) domain and an updated list of vulnerabilities affecting 11 additional plugins, bringing the total to 30.
Listed below are the targeted plugins and themes –
- WP Live Chat Support
- Yuzo Related Posts
- Yellow Pencil Visual CSS Style Editor
- Easy WP SMTP
- WP GDPR Compliance
- Newspaper (CVE-2016-10972)
- Thim Core
- Smart Google Code Inserter (discontinued as of January 28, 2022)
- Total Donations
- Post Custom Templates Lite
- WP Quick Booking Manager
- Live Chat with Messenger Customer Chat by Zotabox
- Blog Designer
- WordPress Ultimate FAQ (CVE-2019-17232 and CVE-2019-17233)
- WP-Matomo Integration (WP-Piwik)
- ND Shortcodes
- WP Live Chat
- Coming Soon Page and Maintenance Mode
- FV Flowplayer Video Player
- Coming Soon Page & Maintenance Mode
- Simple Fields
- Delucks SEO
- Poll, Survey, Form & Quiz Maker by OpinionStage
- Social Metrics Tracker
- WPeMatico RSS Feed Fetcher
- Rich Reviews
Both variants are said to contain an unimplemented method for brute-forcing WordPress administrator accounts, although it is unclear whether this is a holdover from an earlier version or a future feature.
“If such a feature is implemented in newer versions of the backdoor, cyber criminals will even be able to successfully attack websites that use current plugin versions with patched vulnerabilities,” the company said.
Users of WordPress are advised to keep all platform components, including third-party plugins and themes, up-to-date. To secure their accounts, it is also recommended that they use strong, unique login credentials and passwords.
The revelation occurs weeks after Fortinet FortiGuard Labs described another botnet called GoTrim that is designed to brute-force WordPress content management system (CMS) websites hosted on self-hosted servers to seize control of targeted systems.
Sucuri reported last month that more than 15,000 WordPress sites had been compromised in a malicious campaign to redirect visitors to bogus Q&A portals. The current number of active infections stands at 9,314.