A security firm has disclosed a malicious Linux threat that hacks websites built on a WordPress CMS. The malware exploits 30 vulnerabilities in different plugins and themes for WordPress.
Unseen malware variants
According to Dr. Web, the malware targets 32-bit and 64-bit Linux systems, and has remote command capabilities.
If a site is detected using outdated versions of add-ons, the web pages are injected with malicious JavaScript codes. Click on the page redirects uses to pages of hackers’ choice.
The malware, identified as Linux.BackDoor.WordPressExploit.1, can attack a specific webpage, switch to standby mode, shut itself down, and even pause its logging actions.
Additionally, the experts have spotted an updated version of the malware (Linux.BackDoor.WordPressExploit.2) It has a different C&C server, and domain address for downloading malicious JavaScript, and impacts more vulnerabilities.
Infection process
Pages infected with malicious JavaScript act as redirects to the location of the attacker, and always get loaded first irrespective of the site’s original content.
These redirections serve phishing, malware distribution, and malvertising campaigns to avoid detection.
Further, the operators behind the auto-injector could be selling their services to other threat groups.
Ending notes
Owing to its massive popularity, WordPress has always been a lucrative target for cybercriminals. The admins of WordPress websites are suggested to stay updated with the latest available version of the themes and plugins running on the site. Further, replace those which are no longer developed. Finally, always use strong passwords and enable two-factor authentication.