Hacker Hides Backdoor Inside Fake WordPress Security Plugin

LASER_oneXM

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
A cyber-criminal has hidden the code for a PHP backdoor inside the source code of a WordPress plugin masquerading as a security tool named "X-WP-SPAM-SHIELD-PRO."

The attacker was obviously trying to leverage on the reputation of a legitimate and highly popular WordPress plugin called "WP-SpamShield Anti-Spam," a popular anti-spam tool for self-hosted WordPress sites.

Instead, users who downloaded X-WP-SPAM-SHIELD-PRO got a nasty surprise in the form of a backdoor that allowed the attacker to create his own admin account on the site, upload files on the victim's servers, disable all plugins, and more.
Click to expand...

Security-focused plugin delivers nasty backdoor
All of the malicious behavior was spread across the fake plugin's files. For example:

*class-social-facebook.php - poses as a social media spam protection tool, but the code found within sends a list of the user's plugin list to the attacker and optionally disables all plugins. The reason to disable all plugins is to shut down any other security-focused plugins that block access to login functions or would detect the hacker's unauthorized logins.

*class-term-metabox-formatter.php - sends the user's WordPress version to the attacker.

*class-admin-user-profile.php - sends a list of all WordPress admin users to the attacker.

*plugin-header.php - adds an additional admin user named mw01main.

*wp-spam-shield-pro.php - pings the hacker's server located at mainwall.org, letting the attacker know when a new user installed the fake plugin. The data this file sends over includes user, password, infected site URL, and server IP address.
This latter file also includes code to allow the attacker to upload a ZIP archive on the victim's site, unzip it, and then run the files within.


At the time security researchers found the malicious plugin, the ZIP file offered for download was corrupted, but experts believe the attacker was deploying a tainted version of the well-known All In One SEO Pack WordPress plugin.
Click to expand...

Be careful what you're installing on your WP site
According to Sucuri, the cyber-security company that discovered X-WP-SPAM-SHIELD-PRO, the plugin never made it on the official WordPress Plugins repository, being made available through other sources.
Click to expand...
 
  • Like
Reactions: Parsh, Weebarra, silversurfer and 3 others
You must log in or register to reply here.

Similar threads

nicolaasjan
    • Like
    • +Reputation
Thousands of WordPress sites hacked through tagDiv plugin vulnerability
Replies
0
Views
1,454
News Archive
nicolaasjan
nicolaasjan
Gandalf_The_Grey
    • Like
Malware News Over 6,000 WordPress hacked to install plugins pushing infostealers
Replies
1
Views
1,170
Security News
Victor M
Victor M
[correlate]
    • Like
Jupiter X Core WordPress plugin could let hackers hijack sites
Replies
0
Views
996
News Archive
[correlate]
[correlate]

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top