Threat actors use the “Mu-Plugins” directory of WordPress sites to hide malicious code with the aim of maintaining permanent remote access and redirecting site visitors to fake sites.
MU-Plugins, short for Required Plugins, refers to plugins in special directories (“WP Content/MU-Plugins”) that are automatically run by WordPress without explicitly enabling them via the admin dashboard. This makes the directory an ideal location for staging malware.
“This approach represents a concerning trend as MU-Plugins (required plugins) are not listed in the standard WordPress plugin interface, making it easier for users to ignore during routine security checks.”
In an incident analyzed by a website security company, three different types of rogue PHP code were discovered in the directory –
“WP-Content/Mu-Plugins/Redirect.php” redirects site visitors to an external malicious website “WP-Content/Mu-Plugins/index.php”. There is unwanted spam on infected websites that are likely to be intent on promoting scams or manipulating SEO rankings by exchanging all images on the site for explicit content and hijacking outbound links to malicious sites.
“redirect.php” said it was spoofing a web browser update to deceive victims to steal data and install malware that could drop additional payloads.
“The script contains a function that identifies whether the current visitor is a bot,” explained Srivastava. “This will remove the search engine crawler and prevent the script from detecting redirection behavior.”
It supplies a common tactic called Clickfix, as threat actors continue to use infected WordPress sites as staging grounds, tricking website visitors, continuing to run malicious PowerShell commands on Windows computers under the guise of Google Recaptcha or Cloudflare Captcha verification – and providing Lumma Stealer Malware.
Hacked WordPress sites are also used to deploy malicious JavaScript that can redirect visitors to unwanted third-party domains and allow skimmer financial information entered on the checkout page to act as a skimmer.
Currently, we don’t know how the site was compromised, but the usual suspects are vulnerable plugins or themes, compromised administrator credentials, and server misconceptions.
According to a new report from PatchStack, threat actors have been using four different security vulnerabilities on a daily basis since the beginning of the year –
CVE-2024-27956 (CVSS Score: 9.9) – Merciless arbitrary generic SQL execution vulnerability in WordPress automatic plugins – AI content generator and automatic poster plugins CVE-2024-25600 (CVSS Score: 10.0) – Merciless remote code execution vulnerability in CVS – Merciless PHP object injection into remote code execution vulnerability in givewp plugin CVE – 2024-4345 (CVSS Score: 10.0)
To mitigate the risks posed by these threats, it is essential for WordPress site owners to keep plugins and themes up-to-date, routinely audit code regarding the presence of malware, enforce strong passwords, deploy web application firewalls to malicious requests, and prevent code injection.
Source link
