Cybersecurity researchers are shedding light on a new campaign targeting WordPress sites that disguise malware as security plugins.
The plugin named “WP-Antymalwary-bot.php” comes with a variety of features to keep access, hide from the admin dashboard, and run remote code.
“It also includes ping functionality that allows you to report to command and control (C&C) servers, similar to the code that helps spread malware to other directories and inject malicious JavaScript responsible for serving ads,” Wordfence’s Marco Wotschka said in the report.
The malware first discovered in the site cleanup effort in late January 2025 was detected in the wild with a new variant. Some of the other names used for plugins are listed below –
addons.php wpconsole.php wp-performance-booster.php scr.php
Once installed and activated, it provides administrator access for threat actors to the dashboard and makes remote code execution easier by injecting malicious PHP code into site theme header files, or clearing caches for popular cache plugins.
New iterations of malware include notable changes to the manners in which code injections are handled, fetching JavaScript code hosted in another compromised domain to provide ads or spam.
The plugin is also complemented by a malicious WP-Cron.php file that automatically reproduces and reproduces malware on the next site visit if it is removed from the plugin directory.
Currently, it is not clear how the site is violated to deliver malware or who is behind the campaign. However, the presence of Russian comments and messages probably indicates that threat actors speak Russian.
This disclosure has now detailed a web skimmer campaign that uses a fake font domain named italicfonts.[.]org “Displays fake payment forms on the checkout page, steals the information entered, and removes data to the attacker’s server.
Another “advanced multi-stage carding attack” considered by the website security company targets the Magento e-commerce portal with JavaScript malware designed to harvest a wide range of sensitive information.
“The malware leveraged fake GIF image files, local browser SessionStorage data, and used malicious reverse proxy servers to tamper with website traffic and promoted credit card data, login details, cookies and other sensitive data from websites that compromise credit card data, log-in details, cookies and other sensitive data.”
A GIF file is actually a PHP script that acts as a reverse proxy by capturing incoming requests and collecting the information needed when a site visitor lands on a checkout page.
It has been observed that enemy injects Google AdSense code into at least 17 WordPress sites in various locations with the goal of delivering unwanted ads and generating revenue either on a click-by-click or impressive basis.
“They are trying to continue using resources on your site to serve ads, but even worse, if you use AdSense yourself, you may be stealing the revenue from your ads,” says security researcher Puja Srivastava. “By injecting your own Google AdSense code, they’ll be paid for you.”
That’s not all. The verification of deceit capt provided on compromised websites is designed to allow users to tunnel malicious traffic through the socks5 proxy by collecting system information, granting remote access, and tricking down node.js-based backdoor downloading and running node.js-based backdoors that deploy remote access.
This activity is attributed to a traffic distribution system (TDS), called Kongtuke (aka 404 TDS, Chaya_002, Landupdate808, and TAG-124) by TrustWave SpiderLabs.
“The JS scripts dropped after infection are designed as multifunctional backdoors that can maintain detailed system reconnaissance, remote command execution, tunnel network traffic (Socks5 proxy), and permanent access to secrets.”
Source link
