New Linux Malware Exploiting 30 Vulnerabilities in WordPress Plugins

The malware is designed to target 32-bit versions of Linux, but can also run on 64-bit versions.

Last Updated: January 13, 2023

A new Linux malware strain is making the rounds on WordPress-based websites, seeking to exploit 30 known vulnerabilities in several outdated WordPress plugins and themes. Dubbed Linux.BackDoor.WordPressExploit.1, the malware injects malicious JavaScript into target websites.

Once again, the importance of timely updates has become evident. According to Dr. Web, which discovered Linux.BackDoor.WordPressExploit.1, the trojanized malware attempts to hack into websites through 30 outdated and vulnerable plugins or themes, including WooCommerce, WP Live Chat Support Plugin, Google Code Inserter, and more (listed below).

Once the remote-controlled trojan confirms a website uses any vulnerable plugin, it acts as a backdoor to push malicious JavaScript it fetches from its command and control (C2) server into the website.

“If one or more vulnerabilities are successfully exploited, the targeted page is injected with a malicious JavaScript that is downloaded from a remote server. With that, the injection is done in such a way that when the infected page is loaded, this JavaScript will be initiated first — regardless of the original contents of the page,” Dr. Web noted.

And when a user lands and clicks anywhere on an infected website, they are redirected to the website of the attackers’ choice, where they may be served malvertising, prompted to download malware, or can be targeted in phishing.

Linux.BackDoor.WordPressExploit.1 is developed with additional features, including switching to standby mode, shutting itself down, and pausing logging its actions. The malware is designed to target 32-bit versions of Linux but can also run on 64-bit versions.

In addition to Linux.BackDoor.WordPressExploit.1, Dr. Web also stumbled upon a variant of the same backdoor. The difference is that Linux.BackDoor.WordPressExploit.2 has a different C2 server address, a different domain address from where the malicious JavaScript is downloaded and targets 11 additional plugins.

See More: Malware Extension in PyPI Downloaded Over 2,300 Times

Plugins and Themes

Targeted by Both Linux.BackDoor.WordPressExploit.1 and 2

Linux.BackDoor.WordPressExploit.2
WP Live Chat Support Plugin WP Quick Booking Manager

Brizy WordPress Plugin

WordPress – Yuzo Related Posts

Facebook Live Chat by Zotabox FV Flowplayer Video Player
Yellow Pencil Visual Theme Customizer Plugin Blog Designer WordPress Plugin

WooCommerce

Easysmtp

WordPress Ultimate FAQ (vulnerabilities CVE-2019-17232 and CVE-2019-17233) WordPress Coming Soon Page
WP GDPR Compliance Plugin WP-Matomo Integration (WP-Piwik)

WordPress theme OneTone

Newspaper Theme on WordPress Access Control (vulnerability CVE-2016-10972)

WordPress ND Shortcodes For Visual Composer Simple Fields WordPress Plugin
Thim Core WP Live Chat

WordPress Delucks SEO plugin

Google Code Inserter

Coming Soon Page and Maintenance Mode Poll, Survey, Form & Quiz Maker by OpinionStage
Total Donations Plugin Hybrid

Social Metrics Tracker

Post Custom Templates Lite

WPeMatico RSS Feed Fetcher

Rich Reviews plugin

“Both trojan variants have been found to contain unimplemented functionality for hacking the administrator accounts of targeted websites through a brute-force attack — by applying known logins and passwords, using special vocabularies. It is possible that this functionality was present in earlier modifications, or, conversely, that attackers plan to use it for future versions of this malware,” Dr. Web added.

The obvious mitigation is to update WordPress, plugging, themes and all relevant components. Dr. Web also recommends setting strong and unique logins and passwords.

Let us know if you enjoyed reading this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!

Image source: Shutterstock

MORE ON MALWARE

Sumeet Wadhwani
Sumeet Wadhwani

Asst. Editor, Spiceworks Ziff Davis

An earnest copywriter at heart, Sumeet is what you'd call a jack of all trades, rather techs. A self-proclaimed 'half-engineer', he dropped out of Computer Engineering to answer his creative calling pertaining to all things digital. He now writes what techies engineer. As a technology editor and writer for News and Feature articles on Spiceworks (formerly Toolbox), Sumeet covers a broad range of topics from cybersecurity, cloud, AI, emerging tech innovation, hardware, semiconductors, et al. Sumeet compounds his geopolitical interests with cartophilia and antiquarianism, not to mention the economics of current world affairs. He bleeds Blue for Chelsea and Team India! To share quotes or your inputs for stories, please get in touch on sumeet_wadhwani@swzd.com
Take me to Community
Do you still have questions? Head over to the Spiceworks Community to find answers.