The new malware masquerades as a legitimate caching plugin for WordPress sites, allowing malicious actors to create an administrator account and monitor site activity.

The malware is a backdoor with several features that allow it to manipulate plugins and hide from active plugins on compromised websites, modify content, or redirect certain users to malicious locations.

Fake plugin details

Opposition analysts, developers of the Wordfence security plugin for WordPress, discovered the new malware during a website cleanup in July.

After taking a closer look at the backdoor, researchers realized that it often comes with a “professional-looking opening comment” to disguise itself as a caching tool that helps reduce server load and improve page load times.

The decision to simulate such a vehicle appears to be deliberate, to ensure that it would not be detected during manual inspections. Additionally, the malicious plugin is configured to be excluded from the “active plugins” list to prevent verification.

The malware has the following capabilities:

• Create user – one function creates a user named “superadmin” with a hard-coded password and administrative rights, while a second function can delete that user to erase any trace of infection.

• bot detection . If visitors were identified as bots (for example, by search engine crawlers), the malware fed them other content, such as spam, forcing them to index the compromised site for malicious content. Therefore, administrators may notice a sudden increase in traffic or reports from users complaining about being redirected to malicious sites.
• Changing content – Malware can modify posts and page content and add spam links or buttons. Website administrators are provided with unmodified content to delay enforcement of the security breach.
• Plugin control – Malware operators can remotely enable or disable arbitrary WordPress plugins on a compromised site. It also clears traces of the site from its database so this activity remains private.

• remote call – the backdoor allows attackers to remotely activate various malicious functions by examining specific user agent strings.

“Taken together, these features provide attackers with everything they need to remotely control and monetize a victim site through the site’s own SEO ranking and user privacy,” the researchers wrote in a report.

At this time, Defiant has not released any details on the number of websites compromised by the new malware, and its researchers have not yet determined the initial access vector.

Common methods of hacking a website include stealing credentials, password mining, or exploiting a vulnerability in an existing plugin or theme.

Defiant has released a detection signature for free Wordfence users and added a firewall rule to protect Premium, Care and Response users from backdoors.

Therefore, website owners should use strong and unique credentials for administrator accounts, keep their plugins updated, and remove unused plugins and users.