Doctor Web uncovered Linux.BackDoor.WordPressExploit.1, a Linux backdoor that hacks WordPress sites by exploiting outdated plugins and themes to inject malicious JavaScript that redirects visitors. A second variant, Linux.BackDoor.WordPressExploit.2, expands the list of vulnerable add-ons and updates its C2 infrastructure, with potential future admin brute-force capabilities. #LinuxBackDoorWordPressExploit1 #Zotabox
Keypoints
- The backdoor targets 32-bit Linux (and runs on 64-bit) and is remotely controllable by attackers.
- It hacks WordPress sites by exploiting vulnerabilities in plugins and themes to inject a malicious JavaScript that redirects users upon clicks.
- The infection chain starts with contacting a C&C server to receive the site address to compromise, followed by exploitation of listed vulnerable plugins/themes.
- Exploited plugins/themes include WP Live Chat Support, Yuzo Related Posts, Yellow Pencil Visual Theme Customizer, Easysmtp, WP GDPR Compliance, Newspaper Theme (CVE-2016-10972), Thim Core, Google Code Inserter, Total Donations, Post Custom Templates Lite, WP Quick Booking Manager, Zotabox’s Facebook Live Chat, Blog Designer, WordPress Ultimate FAQ (CVE-2019-17232 and CVE-2019-17233), WP-Matomo Integration, ND Shortcodes for Visual Composer, WP Live Chat, Coming Soon Page and Maintenance Mode, and Hybrid.
- malicious JavaScript is downloaded from a remote server and injected in a way that the payload runs first on page load, enabling redirects to attacker-controlled sites.
- A newer variant, Linux.BackDoor.WordPressExploit.2, adds more vulnerable plugins/themes (Brizy, FV Flowplayer, WooCommerce, Coming Soon Page, OneTone, Simple Fields, Delucks SEO, OpinionStage, Social Metrics Tracker, WPeMatico RSS Fetcher, Rich Reviews).
- Both variants show potential unimplemented functionality for brute-forcing administrator accounts, which could be used in future versions to compromise patched sites.
- Authors recommend keeping WordPress core, plugins, and themes up-to-date and using strong, unique credentials.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – The trojan exploits vulnerabilities in WordPress plugins and website themes to gain access and inject a malicious JavaScript into targeted pages. ‘it uses known vulnerabilities in WordPress plugins and website themes.’
- [T1105] Ingress Tool Transfer – The malicious JavaScript is downloaded from a remote server after exploitation. ”a malicious JavaScript that is downloaded from a remote server.”
- [T1071] Web Protocols – The trojan contacts its C2 server and receives the address of the site it is to infect. ‘The trojan contacts its C&C server and receives the address of the site it is to infect.’
- [T1005] Data from Local System – It tracks statistics on its work, such as the number of attacked websites and exploited vulnerabilities. ‘The trojan application collects statistics on its work…’
- [T1562.001] Impair Defenses – It can pause logging its actions (defense evasion). ‘Pause logging its actions.’
- [T1110] Brute Force – Unimplemented functionality to hack administrator accounts via brute-force with known credentials. ‘unimplemented functionality for hacking the administrator accounts … through a brute-force attack.’
Indicators of Compromise
- [CVE] CVE-2016-10972 – Vulnerability in Newspaper Theme exploited by Linux.BackDoor.WordPressExploit.1 to gain access to targeted WordPress sites.
- [CVE] CVE-2019-17232 – Vulnerability in WordPress Ultimate FAQ plugin exploited by the malware.
- [CVE] CVE-2019-17233 – Vulnerability in WordPress Ultimate FAQ plugin exploited by the malware.
- [URL] https://st.drweb.com/static/new-www/news/2022/december/inject.1.png – Screenshot illustrating the infected page injection.
- [URL] https://news.drweb.com/show/?i=14646&lng=en&c=23 – Source page detailing Linux.BackDoor.WordPressExploit.1/2.