A previously unknown Linux malware was discovered exploiting thirty vulnerabilities to infect WordPress themes and plugins with malicious JavaScript.
If any of the outdated add-ons on the targeted site are not updated, the malicious JavaScript code is used to inject the malware into the website. They lack critical fixes and do not work properly.
When a user clicks any infected part of a website, they will be redirected to a malicious website. According to Dr. Security firm that specializes in web security.
This malware is classified as Linux.BackDoor.WordPressExploit.1, and this backdoor is completely controlled remotely by malicious actors. It can carry out these illicit activities for threat actors if it has been given the right command:
- You can attack a specific webpage (website).
- Change to Standby Mode
- You must shut yourself down
- Retract its movements
The trojan exploits WordPress websites using a series of hardcoded vulnerabilities. Each vulnerability is run in a sequential fashion until it succeeds. Dr. Web researchers .
Targeted Themes & Plugins
These plugins or themes are targeted at:
- WP Live Chat Support plugin
- WordPress – Yuzo Related Articles
- Visual theme customizer plugin for Yellow Pencil
- Easysmtp
- WP GDPR Compliance Plugin
- Newspaper theme on WordPress Access Control (vulnerability: CVE-2016-10972)
- Thim Core
- Google Code Inserter
- Plugin Total Donations
- Post custom templates lite
- WP Quick Booking Manager
- Zotabox Faceboor Chat
- WordPress Blog Designer Plugin
- WordPress Ultimate FAQ: Vulnerabilities CVE-2018-17232 and CVE-2018-17233
- WP-Matomo Integration (WP-Piwik)
- WordPress ND Shortcodes for Visual Composer
- WP Live Chat
- Coming Soon: Maintenance and Page Mode
- Hybrid
If a is exploited, it is possible that malicious JavaScript from a distant location could be downloaded and installed on the target page. The page may then be infected.
This will inject JavaScript so that no matter the contents of the original page, it will start JavaScript first when the infected page loads.
This will happen when the user clicks any of the infected pages. Once the page loads, the attackers redirect the user to their website.
Cybersecurity researchers also discovered the updated “Linux.BackDoor.WordPressExploit.2” version of this trojan in combination with its current modification of the trojan application.
The following plugins have additional vulnerabilities that can be exploited. There are also changes to the , and the domain address. We have listed the following plugins below:
- Brizy WordPress Plugin
- FV Flowplayer Video player
- WooCommerce
- WordPress Page Coming Soon
- OneTone WordPress theme
- Simple Fields WordPress plugin
- WordPress Delucks is an SEO plugin
- OpinionStage offers a variety of polling, survey, form and quiz makers
- Tracker for Social Metrics
- WPeMatico RSS Feed Fetcher
- Rich Reviews plugin
The new variant targets a variety of add-ons, which suggests that backdoor development may be active as shown by the variant.
It is essential that you use strong passwords in conjunction with two-factor authentication to guard against brute force attacks.
Secure Web Gateway, Web Filter Rules Activity Tracking and Malware Protection.
