A new malware variant has been detected targeting WordPress sites with vulnerable add-ons installed.
Malicious software (opens in a new tab) allows cybercriminals to redirect visitors to a website of their choice whenever they click anywhere on that website.
The malware discovered by Dr.Web researchers is named Linux.BackDoor.WordPressExploit.1 and is described as a Trojan that targets 32-bit versions of Linux and can also run on 64-bit versions.
More versions
The Trojan works by injecting malicious JavaScript code into sensitive websites. It does this by exploiting known vulnerabilities in many flawed add-ons such as WP Live Chat Support Plugin, WP Live Chat, Google Code Inserter and WP Quick Booking Manager.
Researchers suspect the malware may have been running for up to three years, either selling traffic or engaging in arbitrage.
“The injection is done in such a way that when the infected page is loaded, this JavaScript will be initialized first – regardless of the original content of the page,” the researchers said.
Subsequently, an updated version was also discovered which, in addition to having a different Command and Control (C2) server, also exploited vulnerabilities in additional add-ons such as Brizy WordPress Plugin, FV Flowplayer Video Player, and WordPress Coming Soon Page.
The report also stated that both versions contained additional features that were still not enabled, including one that allowed cybercriminals to target administrator accounts with brute force attacks. Therefore, it is highly likely that the attackers planned to launch additional versions of the Trojan and additional features.
“If this option is implemented in newer versions of the backdoor, cybercriminals will be able to successfully target some of those websites that use current versions of patched plugins,” the report adds.
To ensure the security of their websites, webmasters should ensure that their WordPress platform and installed add-ons are up to date. They should also follow news regarding installed updates, especially those that are free to download.
Through: Security Information Warehouse (opens in a new tab)