A new malware variant has been spotted targeting WordPress websites with vulnerable add-ons installed.
The malware (opens in new tab) allows threat actors to redirect the visitors to a website of their choosing, whenever they click anywhere on the site.
Discovered by researchers from Dr.Web, the malware is named Linux.BackDoor.WordPressExploit.1 and is described as a Trojan targeting 32-bit versions of Linux, which can also run on 64-bit versions.
More versions
The Trojan operates by injecting a malicious JavaScript into vulnerable websites. It does so by exploiting known vulnerabilities in a number of flawed add-ons, such as WP Live Chat Support Plugin, WP Live Chat, Google Code Inserter and WP Quick Booking Manager.
The researchers suspect the malware could have been active for as long as three years, selling traffic, or engaging in arbitrage.
“The injection is done in such a way that when the infected page is loaded, this JavaScript will be initiated first – regardless of the original contents of the page,” the researchers said.
An updated version was also subsequently discovered which, besides having a different command & control (C2) server, also exploited flaws in additional add-ons, such as Brizy WordPress Plugin, FV Flowplayer Video Player and WordPress Coming Soon Page.
The report also stated that both versions came with additional features that still haven’t been turned on, including one that allowed threat actors to target admin accounts via brute-force attacks. Hence, it’s highly likely that the attackers planned for additional versions of the Trojan, and extra features, to boot.
“If such an option is implemented in newer versions of the backdoor, cyber-criminals will even be able to successfully attack some of those websites that use current plugin versions with patched vulnerabilities,” the report adds.
To keep their websites secure, webmasters should make sure their WordPress platform, as well as the add-ons installed, are up-to-date. Also, they should also keep an eye on news regarding the installed updates, especially for those that are free to download.
Via: Infosecurity Magazine (opens in new tab)
