A malicious Linux application that attacks WordPress CMS-based Websites has been found by Dr Web. It takes advantage of 30 flaws in a variety of platform plugins & themes.
The reports says targeted Webpages are injected with malicious JavaScripts if Sites employ out-of-date versions of these add-ons that are missing essential updates. As a result, users who click anywhere on an attacked page are taken to other Websites.
Dubbed Linux.BackDoor.WordPressExploit.1 in accordance with Dr.Web anti-virus classification, this malware targets 32-bit versions of Linux, but it can also run on 64-bit versions.
Linux.BackDoor.WordPressExploit.1 is a backdoor that is remotely controlled by malicious actors. Upon their command, it is able to perform the following actions:
- Attack a specified Webpage (Website);
- Switch to standby mode;
- Shut itself down;
- Pause logging its actions.
The main functionality of the trojan is to hack Websites based on a WordPress CMS (Content Management System) and inject a malicious script into their Webpages. To do so, it uses known vulnerabilities in WordPress plugins & Website themes. Before attacking, the trojan contacts its C&C server and receives the address of the site it is to infect. Next, Linux.BackDoor.WordPressExploit.1 successively tries exploiting vulnerabilities in the following outdated plugins and themes that can be installed on a Website:
- WP Live Chat Support Plugin
- WordPress – Yuzo Related Posts
- Yellow Pencil Visual Theme Customizer Plugin
- Easysmtp
- WP GDPR Compliance Plugin
- Newspaper Theme on WordPress Access Control (vulnerability CVE-2016-10972)
- Thim Core
- Google Code Inserter
- Total Donations Plugin
- Post Custom Templates Lite
- WP Quick Booking Manager
- Faceboor Live Chat by Zotabox
- Blog Designer WordPress Plugin
- WordPress Ultimate FAQ (vulnerabilities CVE-2019-17232 and CVE-2019-17233)
- WP-Matomo Integration (WP-Piwik)
- WordPress ND Shortcodes For Visual Composer
- WP Live Chat
- Coming Soon Page and Maintenance Mode
- Hybrid
