The malware is designed to target 32-bit versions of Linux, but can also run on 64-bit versions.
A new Linux malware strain is making the rounds on WordPress-based websites, seeking to exploit 30 known vulnerabilities in several outdated WordPress plugins and themes. Dubbed Linux.BackDoor.WordPressExploit.1, the malware injects malicious JavaScript into target websites.
Once again, the importance of timely updates has become evident. According to Dr. Web, which discovered Linux.BackDoor.WordPressExploit.1, the trojanized malware attempts to hack into websites through 30 outdated and vulnerable plugins or themes, including WooCommerce, WP Live Chat Support Plugin, Google Code Inserter, and more (listed below).
Once the remote-controlled trojan confirms a website uses any vulnerable plugin, it acts as a backdoor to push malicious JavaScript it fetches from its command and control (C2) server into the website.
“If one or more vulnerabilities are successfully exploited, the targeted page is injected with a malicious JavaScript that is downloaded from a remote server. With that, the injection is done in such a way that when the infected page is loaded, this JavaScript will be initiated first — regardless of the original contents of the page,” Dr. Web noted.
And when a user lands and clicks anywhere on an infected website, they are redirected to the website of the attackers’ choice, where they may be served malvertising, prompted to download malware, or can be targeted in phishing.
Linux.BackDoor.WordPressExploit.1 is developed with additional features, including switching to standby mode, shutting itself down, and pausing logging its actions. The malware is designed to target 32-bit versions of Linux but can also run on 64-bit versions.
In addition to Linux.BackDoor.WordPressExploit.1, Dr. Web also stumbled upon a variant of the same backdoor. The difference is that Linux.BackDoor.WordPressExploit.2 has a different C2 server address, a different domain address from where the malicious JavaScript is downloaded and targets 11 additional plugins.
See More: Malware Extension in PyPI Downloaded Over 2,300 Times
Plugins and Themes
Targeted by Both Linux.BackDoor.WordPressExploit.1 and 2
Brizy WordPress Plugin
WordPress – Yuzo Related Posts
WooCommerce
Easysmtp
WordPress theme OneTone
Newspaper Theme on WordPress Access Control (vulnerability CVE-2016-10972)
WordPress Delucks SEO plugin
Google Code Inserter
Social Metrics Tracker
Post Custom Templates Lite
Rich Reviews plugin
“Both trojan variants have been found to contain unimplemented functionality for hacking the administrator accounts of targeted websites through a brute-force attack — by applying known logins and passwords, using special vocabularies. It is possible that this functionality was present in earlier modifications, or, conversely, that attackers plan to use it for future versions of this malware,” Dr. Web added.
The obvious mitigation is to update WordPress, plugging, themes and all relevant components. Dr. Web also recommends setting strong and unique logins and passwords.
Let us know if you enjoyed reading this news on LinkedIn, Twitter, or Facebook. We would love to hear from you!
Image source: Shutterstock
Asst. Editor, Spiceworks Ziff Davis
source
