Threat Watch

Compromised WordPress Sites Used to Host Adwind and Other Malware

Researchers at Zscaler have identified an Adwind campaign that is currently distributed over compromised WordPress sites. Binary Defense threat researchers have detected compromised WordPress sites used as part of the infection chain to distribute multiple malware families including Emotet, Qakbot, Trickbot and others. Compromised sites used as webhosting have become prolific in recent days. Threat actors prefer using long-established websites that do not have a negative reputation or appear on any blacklists to distribute malware because those sites are not likely to be blocked by corporate security filters. It is much harder for security teams to detect malicious network traffic when it comes from websites that are known and trusted. Once the compromised site becomes known for hosting malware and is blocked by security products, the attackers simply move on to the next compromised site. Because there are over 60 million WordPress sites and many vulnerable plug-ins, it makes an attractive target for attackers.

ANALYST NOTES

WordPress site owners should following these best practices to avoid a site compromise:

Update third-party plugins and themes:
Typically, site compromises occur when cybercriminals find an out-of-date plugin on their target site that has an exploit available which can be leveraged to compromise the site. The best way to avoid this method is to ensure that all plugins are kept up-to-date. WordPress makes this easy on the Updates tab of WordPress’ dashboard.

Some recent vulnerable plugins:

• Duplicator – Current Version: 1.3.30, Vulnerable version: 1.3.28 – Allowed hackers to export site contents.
• Profile Builder – Current Version: 3.1.6, Vulnerable Version: <= 3.1.0 – Allowed for total site takeover.

Vulnerable theme:
• OneTone Theme – Currently vulnerable to a Cross-Site Scripting attack that leads to total site takeover. Theme has not been updated since 2018 and no patch is expected, but attacks against sites using this theme are ongoing.

Some developers may not issue patches immediately for bugs found in WordPress plugins (such as the OneTone bug), so its recommended to be aware of recent vulnerabilities and disable vulnerable plugins if no patch is available. https://www.exploit-db.com/ provides a huge list of many recent exploits with helpful explanations that can be useful when deciding if a plugin needs to be disabled until a patch is issued.

Regularly check server logs:
It is important to monitor the logs on the WordPress server and search for patterns of unusual access that indicate a SQL injection attack or the presence of a web shell (a rogue PHP file that allows attackers to completely control the server). Any new and unexpected PHP files that are added to the server, especially those uploaded plug-ins, should be investigated to determine if they are a threat.

For more information, please refer to the following articles:
https://www.zscaler.com/blogs/research/compromised-wordpress-sites-used-distribute-adwind-rat
https://www.zdnet.com/article/hackers-are-actively-exploiting-zero-days-in-several-wordpress-plugins/
https://www.zdnet.com/article/hackers-are-creating-backdoor-accounts-and-cookie-files-on-wordpress-sites-running-onetone/
https://www.techradar.com/news/hackers-target-wordpress-sites-running-onetone-theme