A massive attack on the supply chain affected 93 WordPress themes and plugins that were embedded with backdoors that gave attackers full access to sites.
JetPack Experts reportedthat the attack began back in September 2021: 40 WordPress themes and 53 plugins hosted on the developer’s website (AccessPress Themes, a Nepalese company) were infected with malware. It is emphasized that backdoors were introduced into the code after the themes and plugins were released by the developer.
“The infected extensions contained a web shell dropper that gave attackers full access to the infected sites,” the researchers write. “The same extensions were safe if downloaded and installed directly from the WordPress.org directory.”
According to JetPack, the corrupted software contained an itial.php script that was added to the main directory and then included in the main functions.php file. Initial.php acted as a dropper and used base64 to mask the code. It was loading the payload from wp-theme-connect[.]com and used it to install the backdoor as wp-includes/vars.php. After installation, the dropper self-destructed, trying to hide the traces of the attack.
Sucuri experts, too who have studied this incident, they report that although the attack on AccessPress lasted for several months, some of the sites infected with the backdoor contained almost three years old spam. That is, attackers have long been selling access to hacked sites to other criminal groups.
According to experts, the attackers used their backdoors to simply redirect visitors to infected sites to fraudulent resources and resources with malware. That is, this campaign was not too sophisticated.
On January 17, 2022, AccessPress developers introduced new, “clean” versions of all their products.