An ongoing malwaretising campaign that has been targeting WordPress sites since July 2019, has morphed from redirecting browsers to sites containing dodgy adverts or malicious software to something even more dangerous. According to threat analyst from cybersecurity firm Defiant Mikey Veenstra, bad actors are exploiting flaws in more than ten WordPress plugins to create rogue admin accounts on target WordPress sites.
Much of the campaign remains the same, said Veenstra. The attackers exploit known vulnerabilities in WordPress plugins to inject malicious JavaScript code into the frontends of victim sites, which redirects the site’s visitors to potentially harmful content. Where possible, the payloads are obfuscated in an attempt to avoid detection by WAF and IDS software. However, recently the attackers added new vulnerabilities to the list of targets, namely the flaws in Bold Page Builder and NinTechNet plugins.
Also, the hacker group behind the campaign added an additional script “which attempts to install a backdoor into the target site by exploiting an administrator’s session.” The malicious script attempts to create a new user with administrator privileges on the victim’s site.
“If the user is presented with a _wpnonce_create-user nonce when visiting the site’s wp-admin/user-new.phpendpoint, then the script knows a new user can be created. If this is the case, the putmeone() function is triggered. This function makes an AJAX call via jQuery which creates the rogue administrator account” explained Veenstra.
The AJAX call creates a user named “wpservices” with the email “wpservices@yandex.com” and the password “w0rdpr3ss”. Then the attacker can install further backdoors or perform other malicious activity.
Currently, campaign targets following plugins:
- Bold Page Builder
- Blog Designer
- Live Chat with Facebook Messenger
- Yuzo Related Posts
- Visual CSS Style Editor
- WP Live Chat Support Form
- Lightbox Hybrid Composer
- All former NicDark plugins (nd-booking, nd-travel, nd-learning, et. al.)
Owners of WordPress-powered websites using any of above mentioned plugins are recommended to check if they have the latest versions of software installed. However, Veenstra warned that “it’s reasonable to assume any unauthenticated XSS or options update vulnerabilities disclosed in the near future will be quickly targeted by this threat actor” as the campaign picks up new targets over time.
