A newly recognized Trojan backdoor program exploits some 30 vulnerabilities in WordPress plugins and themes with the intention to breach web sites primarily based on the WordPress content material administration system. It solely must abuse a kind of flaws to execute an assault.
Researchers from Physician Internet who found two iterations of the malware — dubbed Linux.BackDoor.WordPressExploit.1 and Linux.BackDoor.WordPressExploit.2 — stated websites working outdated or unpatched variations of those WordPress instruments are susceptible to harboring malicious JavaScripts that redirect web site guests to nefarious web sites, and will replace these packages ASAP.
And here is a scary twist: “An evaluation of an uncovered trojan utility, carried out by Physician Internet’s specialists, revealed that it may very well be the malicious device that cybercriminals have been utilizing for greater than three years to hold out such assaults and monetize the resale of visitors, or arbitrage,” the researchers wrote concerning the malware, which targets 32-bit variations of Linux and in addition can run on 64-bit variations of the platform.
Among the many plugins and themes the Trojan’s model 1 variant abuses are WP Stay Chat Help Plugin; Yellow Pencil Visible Theme Customizer Plugin; Easysmtp; WP GDPR Compliance Plugin; Google Code Inserter; Weblog Designer WordPress Plugin; and WP Stay Chat. Model 2 exploits different WordPress plugins, together with Brizy WordPress Plugin; FV Flowplayer Video Participant; WordPress Coming Quickly Web page; Ballot, Survey, Kind & Quiz Maker by OpinionStage; and Social Metrics Tracker.
WordPress plugins and themes are a preferred avenue for cybercriminals trying to take over web sites; they can be utilized for all the things from phishing to advert fraud to malware distribution. Vulnerabilities usually are not unusual. As an example, in December an SSRF vulnerability within the Google Internet Tales plugin was discovered that may enable a cyberattacker to gather metadata from WordPress websites hosted on an AWS server, and doubtlessly log in to a cloud occasion to run instructions.
