WordPress plugins exploited by a new Linux malware

January 13, 2023
WordPress Plugin Theme Vulnerability Exploit Security Flaw Linux Malware

A previously undiscovered Linux malware has been abusing about 30 vulnerabilities in numerous outdated WordPress plugins and themes to deploy malicious JavaScript.

Based on a report from an AV vendor, the new Linux malware targets the 32-bit and 64-bit Linux systems, providing its users with remote command capabilities. The primary feature of the trojan is to compromise the targeted WordPress websites using a set of hardcoded exploits that the actors operate consecutively until one of them succeeds.

 

The new Linux malware targets numerous flawed WordPress plugins.

 

Some of the flawed WordPress Plugins that the new Linux malware operators target are the WP Live Chat Support Plugin, Yellow Pencil Visual Theme Customizer Plugin, Easysmtp, WP GDPR Compliance Plugin, and Thim Core.

Additionally, plugins for browser tools are also targeted by this malware. These plugins are the Google Code Inserter, WP Quick Booking Manager, Total Donations Plugin, Facebook Live Chat by Zotabox, Blog Designer WordPress Plugin, and more.

Suppose the targeted website operates an outdated and flawed version of any of the earlier-mentioned plugins. In that case, the malware will automatically retrieve a compromised JavaScript from its C2 server and injects the script into the WordPress website.

The affected pages will behave as redirectors to a location of the attacker’s liking; hence, the campaign is effective for abandoned websites. Subsequently, the hackers could use the redirections for phishing campaigns, malware distribution, and malvertising attacks to bypass security.

As of now, the researcher who identified the attack stated that he had observed several updated versions of the Linux payload circulating in the wild. The newly discovered add-ons targeted by the new variants indicate that the development of the backdoor is operating.

Furthermore, the new variants include inactive features, allowing brute-forcing attacks against site administrator accounts.

Cybersecurity experts explained that WordPress website administrators should update their sites to the latest versions to defend against these threats. Administrators should also check plugins running on the site since threat actors have been exploiting flawed ones.

About the author

Leave a Reply