The researchers write that this malware may be the malicious tool with which the attackers have been using for more than three years to carry out attacks and earn money by reselling traffic – arbitrage.
The malware received an identifier Linux.BackDoor.WordPressExploit.1 and is designed to work on devices running 32-bit OS of the Linux family, however, it can also function in 64-bit systems. Malware is a backdoor that attackers control remotely. At their command, he is able to perform the following actions:
- attack a given web page (site);
- switch to standby mode;
- to finish work;
- stop logging of completed actions.
The main function of this Trojan is to hack sites based on the WordPress CMS and inject a malicious script into their pages. To do this, he uses known vulnerabilities in WordPress plugins, as well as in website themes. Before the Trojan contacts the control server and receives from it the address of the resource that needs to be hacked. It then attempts to exploit vulnerabilities in outdated versions of the following plugins and themes that may be installed on the site:
- WP Live Chat Support Plugin;
- WordPress – Yuzo Related Posts;
- Yellow Pencil Visual Theme Customizer Plugin;
- WP GDPR Compliance Plugin;
- Newspaper Theme on WordPress Access Control (Vulnerability CVE-2016-10972);
- Thim Core;
- Google Code Inserter
- Total Donations Plugin;
- Post Custom Templates Lite;
- WP Quick Booking Manager
- Faceboor Live Chat by Zotabox;
- Blog Designer WordPress Plugin;
- WordPress Ultimate FAQ (vulnerabilities CVE-2019-17232, CVE-2019-17233);
- WP-Matomo Integration (WP-Piwik);
- WordPress ND Shortcodes For Visual Composer;
- WP Live Chat;
- Coming Soon Page and Maintenance Mode;
It is noted that the Trojan program maintains statistics of its work: it tracks the total number of attacked sites, all cases of successful use of exploits, and additionally, the number of successful exploits of vulnerabilities in the WordPress Ultimate FAQ plugin and Facebook messenger* from Zotabox. In addition, the malware informs the remote server about all detected unpatched vulnerabilities.
Along with the current modification of the malware, experts also identified its updated version – Linux.BackDoor.WordPressExploit.2. It differs from the original one by the address of the command and control server, the address of the domain from which the malicious script is loaded, as well as an extended list of exploitable vulnerabilities for the following plugins:
- Brizy WordPress Plugin
- FV Flowplayer Video Player;
- WordPress Coming Soon Page;
- WordPress theme OneTone;
- Simple Fields WordPress Plugin
- WordPress Delucks SEO plugin
- Poll, Survey, Form & Quiz Maker by OpinionStage;
- Social Metrics Tracker;
- WPeMatico RSS Feed Fetcher;
- Rich Review plugin.
At the same time, in both versions of the malware, unimplemented functionality for hacking the accounts of administrators of attacked sites using brute force was revealed. It is assumed that this feature was either present in earlier modifications, or, conversely, is planned by attackers for future versions of the malware. If such an opportunity appears in other versions of the backdoor, cybercriminals will be able to successfully attack even some of those sites that use current versions of plug-ins with closed vulnerabilities.
* Banned in Russia. Owned by Meta Platforms, which is recognized as an extremist organization and its activities are banned in Russia