CyberSecurity news
FlagThis
Pierluigi Paganini@securityaffairs.com
//
A new malware campaign is targeting WordPress sites, employing a malicious plugin disguised as a security tool to trick users into installing and trusting it. This plugin, often named 'WP-antymalwary-bot.php,' provides attackers with persistent access, remote code execution, and JavaScript injection, while remaining hidden from the plugin dashboard to evade detection. The malware was first discovered in late January 2025 during a site cleanup, where a modified 'wp-cron.php' file was found, which creates and programmatically activates the malicious plugin.
Cybercriminals are specifically targeting WooCommerce users with a large-scale phishing campaign, aiming to gain backdoor access to WordPress websites. The malicious plugin appears legitimate at first glance, complete with header comments, code indentation, and professional structure. However, it contains a backdoor function that allows attackers to log in as the first administrator user by sending a crafted GET request. This allows them to gain administrative access and inject PHP code into theme files, such as header.php, via a REST API route registered without any permission checks.
The malware enhances its stealth through various methods, including hiding itself from the WordPress Admin Dashboard using the 'hide_plugin_from_list' function. It also communicates with a Command & Control (C2) server, sending periodic "ping" updates to inform the attacker about its operational status. Furthermore, the malware injects malicious JavaScript ads into the site's pages using obfuscated methods and scripts retrieved from compromised external resources. Even if the plugin is deleted, the modified 'wp-cron.php' file reinstalls and reactivates it during the next site visit, ensuring persistence on a compromised site.
ImgSrc: securityaffairs
References :
Cybercriminals are specifically targeting WooCommerce users with a large-scale phishing campaign, aiming to gain backdoor access to WordPress websites. The malicious plugin appears legitimate at first glance, complete with header comments, code indentation, and professional structure. However, it contains a backdoor function that allows attackers to log in as the first administrator user by sending a crafted GET request. This allows them to gain administrative access and inject PHP code into theme files, such as header.php, via a REST API route registered without any permission checks.
The malware enhances its stealth through various methods, including hiding itself from the WordPress Admin Dashboard using the 'hide_plugin_from_list' function. It also communicates with a Command & Control (C2) server, sending periodic "ping" updates to inform the attacker about its operational status. Furthermore, the malware injects malicious JavaScript ads into the site's pages using obfuscated methods and scripts retrieved from compromised external resources. Even if the plugin is deleted, the modified 'wp-cron.php' file reinstalls and reactivates it during the next site visit, ensuring persistence on a compromised site.
ImgSrc: securityaffairs
Share:
References :
- Cybernews: Cybercriminals are targeting WooCommerce users with a large-scale phishing campaign, giving them backdoor access to WordPress websites.
- securityonline.info: WordPress Malware Alert: Fake Anti-Malware Plugin Grants Admin Access and Executes Remote Code
- BleepingComputer: A new malware campaign targeting WordPress sites employs a malicious plugin disguised as a security tool to trick users into installing and trusting it.
- hackread.com: WordPress sites are under threat from a deceptive anti-malware plugin.
- www.bleepingcomputer.com: A new malware campaign targeting WordPress sites employs a malicious plugin disguised as a security tool to trick users into installing and trusting it.
- The DefendOps Diaries: Learn how to protect WordPress sites from malicious plugins posing as security tools, ensuring your site's safety and integrity.
- securityonline.info: WordPress Malware Alert: Fake Anti-Malware Plugin Grants Admin Access and Executes Remote Code
Classification:
- HashTags: #WordPress #Phishing #Malware
- Company: WordPress
- Target: WordPress WooCommerce users
- Product: WordPress
- Feature: Plugin
- Type: Malware
- Severity: High