SINGAPORE: A malware was discovered to have been created that is able to hijack WordPress websites. The malware pretended to be a legitimate caching plugin for WordPress sites while it actually allowed malicious actors to create an administrator account that could control activity on the websites.
The malware that recently targeted WordPress sites had several functions allowing it to manage plugins. It also hid itself from active plugins on the affected sites, redirected users to malicious locations, as well as replaced content. “Taken together, these features provide attackers with everything they need to remotely control and monetize a victim site, at the expense of the site’s own SEO rankings and user privacy,” say researchers.
An Oct 11 report characterized the malware as a backdoor, which means it negated normal authentication procedures used to access a system. It gave the creator of such malware the ability to issue commands remotely, as well as update the malware.
WordPress is a popular open-source software that lets users make their own sites, blogs, galleries, and other content. The analysts saw that the malware came “with a professional-looking opening comment” purporting to be a tool for caching, which site users use to lessen server strain and to make page load times faster.
The new malware was detected in July by analysts at Defiant, the company that created the Wordfence security plugin for WordPress, wrote Bill Toulas on bleepingcomputer.com on Oct 11.
Toulas wrote that the malware creator’s choice to pretend to be a caching tool “appears deliberate” because it would allow it to escape being noticed during manual inspections. Furthermore, the malware also excludes itself from the list of “active plugins,” again for the purpose of going unnoticed.
He also listed the malware’s capabilities, which include a function creating a user named ‘superadmin’ that has admin-level permissions, as well as a second function allowing it to take the user down and remove any trace of infection.
Secondly, the malware contained bot detection. “When visitors were identified as bots (e.g. search engine crawlers), the malware would serve them different content, such as spam, causing them to index the compromised site for malicious content. As such, admins could see a sudden increase in traffic or reports from users complaining about being redirected to malicious locations,” Toulas explains.
Third, it could also replace content by changing posts and inserting spam links or buttons, although the admins of the affected websites would be served the original content, again to avoid detection.
Finally, operators of the malware could also activate or deactivate arbitrary WordPress plugins on affected sites remotely, hiding its tracks to go unnoticed; as well as check for specific user-agent strings which let attackers activate malicious functions remotely.
Exactly how many WordPress sites were compromised by the malware is unknown. However, Toulas adds, “Defiant has released a detection signature for its users of the free version of Wordfence and added a firewall rule to protect Premium, Care, and Response users from the backdoor. Hence, website owners should use strong and unique credentials for admin accounts, keep their plugins up to date, and remove unused add-ons and users.” /TISG