Cybercriminals use fake WordPress plugins to create backdoors in compromised sites.
Security researchers from the web security and protection company Sucuri have discovered that cybercriminals are using malicious plugins, which hide in plain sight and serve as backdoors, to gain access to and maintain a foothold on WordPress sites.
The firm found that two of these fake plugins with backdoor functionality, named initiatorseo or updrat123 by their creators, were observed cloning the functionality of the popular backup and restore WordPress plugin UpdraftPlus.
Fake plugins can easily be created using automated tools or by injecting malicious payloads such as web shells within the source code of legitimate plugins. These malicious plugins also don’t show up inside of a compromised website’s WordPress dashboard as they were designed to remain out of sight.
Sucuri’s researchers discovered that the plugins will only announce their presence to an attacker if they query the website using a GET request with custom parameters like initiationactivity or testingkey.
Fake WordPress plugins
The main purpose of these fake plugins is to act as backdoors on compromised WordPress sites which even provide attackers with access to the servers after the original infection vector was removed.
The attackers then use these backdoors to upload arbitrary files for malicious purposes to the infected websites’ servers using POST requests. These requests contain parameters with information on the download location URL, the path where files should be written and the name under which the files should be dropped.
Sucuri noted that the attackers had also dropped web shells, malicious scripts that provide remote access to the server, in random locations on the compromised sites’ servers. Randomly named scripts were also uploaded to the sites’ root directories to give the attackers the ability to launch brute-force attacks against other websites.