Sneaky Backdoor Disguised as WordPress Caching Plugin Seizes Control of Websites

Researchers from WordPress security firm Defiant unveiled a recently discovered malware targeting WordPress websites, camouflaged as a legitimate caching plugin.

The malevolent software was detected in July during a website cleanup operation. This malware, essentially a backdoor, lets threat actors create an administrator account, gaining complete control over the target website.

Clever Disguise

Analysts said the malware carries a "professional looking opening comment" to mimic a legitimate caching tool—a utility typically used to optimize website traffic, decrease server load, and accelerate page loading times.

The choice to masquerade as a caching plugin is deliberate, aimed at averting scrutiny and slipping through manual inspections. It also hides itself from the list of active plugins on compromised websites to avoid detection.

Multifaceted Malware Capabilities

According to the researchers, the malicious plugin encompasses a variety of capabilities:

• Malicious User Creation: The plugin spawns a 'superadmin' user on the compromised website with a hardcoded password and admin-level permissions. It also has a function to remove this account, erasing any traces of its existence.
• Bot Detection: After identifying bot visitors, it serves them specific content, like spam, making them index the compromised website for malicious content. This could result in traffic spikes or reports from real visitors about redirection to malicious sites.
• Content Replacement: The backdoor can alter posts, pages and other content on compromised websites, inserting spam buttons or links at its discretion. Actual website administrators are served unmodified content to delay detection.
• Plugin Activation/Deactivation: It enables remote activation or deactivation of arbitrary WordPress plugins on the compromised websites while automatically erasing traces of such activities to evade detection.
• Remote Invocation: It checks for specific user agent strings, allowing operators to remotely control certain malicious functions that match particular scenarios.

Exploitation and Monetization at Victims' Expense

"Taken together, these features provide attackers with everything they need to remotely control and monetize a victim site, at the expense of the site’s own SEO rankings and user privacy," the researchers noted in a security advisory.

While the number of compromised websites and other details about the plugin remain undisclosed, the researchers have emphasized the camouflage nature of this malware as a cache plugin.

Protecting Your Website

This discovery comes on the heels of another significant event; researchers recently spotted a massive Balada Injector campaign and linked it to the compromise of over 17,000 WordPress websites.

To fend off such threats, users are advised to keep their themes and plugins updated to the latest versions, employ robust password policies, periodically scan their websites for suspicious activities, and remove unused or questionable items from their panels.

Furthermore, managing user permissions diligently can help prevent unwanted operations stemming from a lack of a healthy permissions policy.

With the continuous evolution of malicious software, staying a step ahead in security measures is imperative for website owners to protect their digital assets and user trust.