Patchstack reports a mass phishing campaign that dupes WordPress users into installing a malicious plugin by posing as a CVE-2023-45124 patch. The attack uses cloned WordPress pages, fake reviews, and a backdoor that creates an admin user and can be leveraged for further abuse.
#CVE-2023-45124 #WordPress #Patchstack #P.A.S.Backdoor #Automattic #wpgate
#CVE-2023-45124 #WordPress #Patchstack #P.A.S.Backdoor #Automattic #wpgate
Keypoints
- The phishing campaign claims a vulnerability in WordPress and offers a “Patch” to fix CVE-2023-45124.
- The download leads to a site that clones WordPress.org and uses domains like wordpress.secureplatform.org and en-gb-wordpress.org to appear legitimate.
- Attackers appear to target known WordPress figures by listing them as authors of the patching plugin.
- Installing the plugin creates an administrator account (wpsecuritypatch) and a backdoor (wp-autoload.php) in the WordPress root.
- The malware exfiltrates data back to attackers via HTTP GET requests with base64-encoded content and then writes the backdoor into the site.
- The backdoor can be used for ads, redirects, DDoS, billing theft, or blackmail, and is described as similar to the P.A.S. backdoor.
MITRE Techniques
- [T1566.002] Spearphishing Link – The campaign uses phishing emails that prompt users to download a malicious plugin as a purported WordPress patch. Quote: “mass-scale phishing campaign… notifying users about a supposed security vulnerability in their WordPress website.”
- [T1136] Create Account – The malware creates a new administrator account (wpsecuritypatch) with admin privileges. Quote: “A random password will be created for a username (wpsecuritypatch) that will be created with administrator privileges.”
- [T1041] Exfiltration Over C2 Channel – The malware sends HTTP GET requests to attacker servers with base64-encoded data about the infected site and admin credentials. Quote: “A HTTP GET request is sent to their server… contains base64 encoded data of the URL of the site they infected as well as the password…”
- [T1027] Obfuscated/Compressed Files and Information – The payload uses base64 encoding and decodes it within the plugin to reconstruct the backdoor. Quote: “base64 encoded data which they base64 decode in the malicious plugin…”
- [T1564.001] Hide Artifacts – The plugin hides itself from the plugin list and hides the administrator account it created. Quote: “The plugin will then hide itself from the plugin list as well as hiding the administrator account that it created.”
- [T1036] Masquerading – The attackers clone WordPress.org site and present fake reviews, impersonating real WordPress contributors, to appear legitimate. Quote: “The attackers have even written fake reviews on the same page…”; “presenting them as authors of this ‘patching’ plugin.”
Indicators of Compromise
- [User Account] wpsecuritypatch – a new administrator user created for the site.
- [File] wp-autoload.php – backdoor file placed in the WordPress root.
- [Directory] wpress-security-wordpress and cve-2023-45124 – folders under /wp-content/plugins.
- [Domain] wordpress.secureplatform.org, en-gb-wordpress.org – cloned WordPress.org-like domains used in the phishing page.
- [Network] wpgate[.]zip – outgoing requests to attacker server; related paths wpapi and runscan (wpgate[.]zip/wpapi, wpgate[.]zip/runscan).
- [File] cve-2023-45124.zip – the downloaded plugin payload name used in the phishing flow.