A targeted supply chain attack was discovered involving a backdoor in Gravity Forms plugin version 2.9.12, which exfiltrated site data and allowed remote code execution via a malicious domain gravityapi.org. Multiple malicious functionalities including user creation, file upload, and directory listing were identified, prompting the release of a patched version 2.9.13 and domain suspension to mitigate exploitation. #GravityForms #gravityapiorg #Patchstack
Keypoints
- A backdoor in Gravity Forms plugin version 2.9.12 was discovered that sends WordPress site data to a newly registered malicious domain gravityapi.org.
- The backdoor uses the update_entry_detail function to post site information and write back malicious PHP files, enabling remote code execution.
- The list_sections function provides backdoor capabilities including administrator user creation, arbitrary file upload, eval execution of base64 data, user listing, and deletion.
- The malicious code was delivered only via manual downloads and composer installations, and was removed in later downloads after discovery.
- Gravity Forms version 2.9.13 was released to remove the backdoor, and the domain gravityapi.org was suspended by Namecheap.
- Indicators of compromise include specific IP addresses, domain names, file names, and the secret gf_api_token key used for authentication.
- Patchstack added monitoring and blocking rules to prevent exploitation and is tracking activity related to this targeted supply chain attack.
MITRE Techniques
- [T1071.001] Application Layer Protocol: Web Protocols – The backdoor sends HTTP POST requests with WordPress site data to gravityapi.org (‘POST request to https://gravityapi.org/sites with site details’).
- [T1059.001] Command and Scripting Interpreter: PowerShell – The backdoor executes user-supplied base64-encoded PHP code using eval function for remote code execution (‘eval( base64_decode($gf_formula) )’).
- [T1136.001] Create Account: Local Account – The backdoor can create new administrator users via ‘cusr’ action if the correct gf_api_token is supplied (‘wp_create_user with admin role assigned’).
- [T1105] Ingress Tool Transfer – The backdoor downloads and writes base64-decoded PHP payloads onto the victim server (‘file_put_contents of decoded HTTP response body’).
- [T1005] Data from Local System – The backdoor enumerates WordPress user accounts and site information and exfiltrates it externally (‘collects active plugins, site URL, WP version, and users count’).
- [T1526] Cloud Infrastructure Discovery – The backdoor retrieves environment and WordPress configuration data (‘obtains wp_version, php_version, active_theme, plugin_list’).
- [T1222] File and Directory Discovery – The backdoor lists files and directories via the ‘ldir’ command (‘scandir used on arbitrary directories’).
- [T1485] Data Destruction – The backdoor can delete WordPress users via ‘dusr’ action (‘wp_delete_user functionality’).
- [T1569.002] System Services: Service Execution – The malicious function is hooked to ‘plugins_loaded’ action, causing persistent execution (‘add_action( ‘plugins_loaded’, … )’).
Indicators of Compromise
- [IP Address] Malicious HTTP requests origin – 193.160.101.6, 185.193.89.19
- [Domain] Malicious command and control domains – gravityapi.org, gravityapi.io
- [File Name] Malicious PHP files written by backdoor – wp-includes/bookmark-canonical.php, wp-includes/block-caching.php, gravityforms/common.php
- [Secret Key] Backdoor authentication token – Cx3VGSwAHkB9yzIL9Qi48IFHwKm4sQ6Te5odNtBYu6Asb9JX06KYAWmrfPtG1eP3
- [Plugin File] Malicious hook location – includes/settings/class-settings.php (contains list_sections function)
Read more: https://patchstack.com/articles/critical-malware-found-in-gravityforms-official-plugin-site/