Threat Watch

Recently Discovered Linux Malware Packs 30 Plugin Exploits for WordPress

Researchers at Dr. Web have discovered Linux malware in the wild that targets 32 and 64 bit Linux systems with the goal to then exploit vulnerable WordPress sites. The malware runs through a long list of plugins, checking for vulnerable version numbers. When a vulnerable plugin is found, the malware reaches out to the threat actor’s Command and Control (C2) server and retrieves malicious JavaScript to be injected into the site. The malicious JavaScript redirects traffic to a location of the threat actor’s choice.

The threat actor appears to be actively developing the malware, as new samples contain exploit code for an increasing number of WordPress plugins. The currently known exploited plugins are as follows:

  • WP Live Chat Support Plugin
  • WordPress – Yuzo Related Posts
  • Yellow Pencil Visual Theme Customizer Plugin
  • Easysmtp
  • WP GDPR Compliance Plugin
  • Newspaper Theme on WordPress Access Control (CVE-2016-10972)
  • Thim Core
  • Google Code Inserter
  • Total Donations Plugin
  • Post Custom Templates Lite
  • WP Quick Booking Manager
  • Faceboor Live Chat by Zotabox
  • Blog Designer WordPress Plugin
  • WordPress Ultimate FAQ (CVE-2019-17232 and CVE-2019-17233)
  • WP-Matomo Integration (WP-Piwik)
  • WordPress ND Shortcodes For Visual Composer
  • WP Live Chat
  • Coming Soon Page and Maintenance Mode
  • Hybrid
  • Brizy WordPress Plugin
  • FV Flowplayer Video Player
  • WooCommerce
  • WordPress Coming Soon Page
  • WordPress theme OneTone
  • Simple Fields WordPress Plugin
  • WordPress Delucks SEO plugin
  • Poll, Survey, Form & Quiz Maker by OpinionStage
  • Social Metrics Tracker
  • WPeMatico RSS Feed Fetcher
  • Rich Reviews plugin

ANALYST NOTES

WordPress is a very common website platform because it is free and easy to use, but this also makes it a more desirable target for threat actors. Keeping a WordPress site up to date is crucial. Fortunately, WordPress does have an automatic update feature which Binary Defense strongly recommends that users enable. Because many plug-ins are community created and distributed, often times critical updates can be slow to release, if an update comes at all. It is generally recommended to use as few unofficial plugins as possible in addition to frequently checking plugins for updates.

https://www.bleepingcomputer.com/news/security/new-linux-malware-uses-30-plugin-exploits-to-backdoor-wordpress-sites/