New Malware Threat Discovered in WordPress
Introduction to the Backdoor Vulnerability
Recent findings by cybersecurity experts have revealed a sophisticated backdoor embedded within WordPress sites, specifically hidden in the "mu-plugins" directory. This stealthy intrusion allows cybercriminals to maintain persistent access, enabling them to execute arbitrary code without detection. The discovery was made by Sucuri, a prominent web security company.
Understanding Must-Use Plugins
Must-use plugins, commonly referred to as mu-plugins, are a unique feature in WordPress that automatically activates across an entire installation. They reside in the "wp-content/mu-plugins" directory. One critical characteristic of mu-plugins is their invisibility on the default plugins page in the wp-admin dashboard. This means that they cannot be easily disabled through the usual administrative channels, as removing the plugin requires direct file access.
Concealed Malware Functionality
The malware identified operates subtly within this mu-plugins directory. The specific PHP script, named "wp-index.php," acts as a loader, fetching additional payloads and saving them directly into the WordPress database. The data is stored in the wp_options table under a field named _hdra_core.
To obfuscate its malicious activities, the malware retrieves remote payloads using a ROT13 encoding scheme, a basic substitution cipher. This encoding makes it less obvious to site administrators monitoring their systems.
How Attackers Exploit Vulnerabilities
According to cybersecurity researcher Puja Srivastava, after the malicious content is fetched, it is temporarily written to the server’s disk and promptly executed. This allows the attackers to gain continued access to the site, enabling them to run any PHP code remotely without raising alarms.
One particularly alarming capability of this backdoor is the injection of a hidden file manager into the theme directory, named "pricing-table-3.php." This grants attackers full control over the website’s files, allowing them to browse, upload, or delete content at will. In a further escalation, the malware also creates a new administrator account titled "officialwp" and activates a harmful plugin known as "wp-bot-protect.php."
Changing Access Controls and Maintaining Control
The backdoor doesn’t just provide access; it also fortifies the attackers’ hold on the site. It is programmed to change passwords for common administrative usernames, such as "admin," "root," and "wpsupport," preventing legitimate users from accessing the site. This feature extends to the newly created "officialwp" user, effectively locking out other administrators and consolidating the attackers’ control.
Consequences of a Breach
Once inside, attackers are free to engage in various malicious activities, from stealing sensitive data to planting additional malware that targets site visitors. They can also manipulate content on the site, potentially leading to defacement or misleading redirects to illegitimate platforms.
Srivastava noted, "The attackers gain full administrator access and a persistent backdoor, allowing them to do anything on the site, from installing more malware to defacing it." The malware’s capacity for remote command execution means that attackers can modify its functionality at will, significantly increasing the threat level.
Proactive Measures for WordPress Users
Given the rise in such vulnerabilities, it’s crucial for WordPress site owners to take proactive steps in safeguarding their websites. Regular updates to WordPress core, themes, and plugins are vital in mitigating risks associated with known vulnerabilities. Implementing two-factor authentication (2FA) for administrative accounts adds an extra layer of security. Moreover, routine audits of all site components, especially theme and plugin files, can help identify any unauthorized changes or anomalies before they escalate into serious threats.
In conclusion, awareness and diligence are key in protecting against this new malware strain. Ensuring robust cybersecurity practices can greatly reduce the risks posed by such stealthy threats within the WordPress ecosystem.
