A new Linux malware exploits 30 plugin vulnerabilities to bypass WordPress sites

An unknown Linux malware was able to exploit 30 flaws in several WordPress themes and plugins to inject malicious JavaScript.

A Dr.Web report reveals that the malware targets both 32-bit and 64-bit Linux systems. Dr. Web reports that the malware can be used to remotely control Linux 64-bit or 32-bit systems.

This trojan’s main function is to attack WordPress websites using a series of hardcoded exploits. Each one runs until the last one works.

These are the targeted themes and plugins:

  • WP Live Chat Support plugin
  • WordPress – Yuzo Related Articles
  • Visual theme customizer plugin for Yellow Pencil
  • Easysmtp
  • WP GDPR Compliance Plugin
  • WordPress Access Control (CVE-16-10972) Newspaper theme
  • Thim Core
  • Google Code Inserter
  • Plugin Total Donations
  • Post custom templates Lite
  • WP Quick Booking Manager
  • Zotabox Faceboor Chat
  • WordPress Blog Designer Plugin
  • WordPress Ultimate FAQ (CVE-2018-17232 and CVE-2018-17233).
  • WP-Matomo Integration (WP-Piwik)
  • WordPress ND Shortcodes for Visual Composer
  • WP Live Chat
  • Page Coming Soon and Maintenance Mode
  • Hybrid

The malware will inject malicious JavaScript into the target website if it finds an older and more vulnerable version of one of these vulnerabilities.

Injected redirection code

(Dr. Web)

The infected pages serve as redirectors to the location chosen by the attacker. Therefore, the scheme is most effective on sites that are abandoned.

This could be used for phishing and malware distribution. Malvertising campaigns can also help to evade detection. The auto-injector operators might also be offering their services to cybercriminals.

A new version of Dr. Web also observed the following WordPress addons in action:

  • Brizy WordPress Plugin
  • FV Flowplayer Video player
  • WooCommerce
  • WordPress Page Coming Soon
  • OneTone WordPress theme
  • Simple Fields WordPress plugin
  • WordPress Delucks is an SEO plugin
  • OpinionStage offers a variety of polling, survey, form and quiz makers
  • Social Metrics Tracker
  • WPeMatico RSS Feed Fetcher
  • Rich Reviews plugin

It is evident that there are active backdoor development efforts at this time, as evidenced by the targeted add-ons.

Dr. Web mentions also that the two variants include functionality currently inactive. This would permit brute-forcing attempts against administrator accounts.

This threat can be countered by WordPress website administrators updating to the most current version of the plugins and themes on their sites and replacing those not developed or supported.

Protect yourself against brute force attacks by using strong passwords, and activate the 2-factor authentication system.