A brand new malware marketing campaign concentrating on WordPress websites employs a malicious plugin disguised as a safety device to trick customers into putting in and trusting it.
In line with Wordfence researchers, the malware supplies attackers with persistent entry, distant code execution, and JavaScript injection. On the similar time, it stays hidden from the plugin dashboard to evade detection.
Wordfence first found the malware throughout a web site cleanup in late January 2025, the place it discovered a modified ‘wp-cron.php’ file, which creates and programmatically prompts a malicious plugin named ‘WP-antymalwary-bot.php.’
Different plugin names used within the marketing campaign embrace:
- addons.php
- wpconsole.php
- wp-performance-booster.php
- scr.php
If the plugin is deleted, wp-cron.php re-creates and reactivates it mechanically on the following web site go to.
Missing server logs to assist establish the precise an infection chain, Wordfence hypothesizes the an infection happens by way of a compromised internet hosting account or FTP credentials.
Not a lot is understood concerning the perpetrators, although the researchers famous that the command and management (C2) server is situated in Cyprus, and there are traits much like a June 2024 provide chain assault.
As soon as energetic on the server, the plugin performs a self-status examine after which offers the attacker administrator entry.
“The plugin supplies fast administrator entry to menace actors by way of the emergency_login_all_admins operate,” explains Wordfence in its writeup.
“This operate makes use of the emergency_login GET parameter in an effort to enable attackers to acquire administrator entry to the dashboard.”
“If the right cleartext password is supplied, the operate fetches all administrator consumer information from the database, picks the primary one, and logs the attacker in as that consumer.”
Subsequent, the plugin registers an unauthenticated customized REST API route that enables the insertion of arbitrary PHP code into all energetic theme header.php information, clearing of plugin caches, and different instructions processed by way of a POST parameter.
An up to date model of the malware may also inject base64-decoded JavaScript into the positioning’s <head> part, doubtless for serving guests advertisements, spam, or redirecting them to unsafe websites.
Aside from file-based indicators just like the listed plugins, web site homeowners ought to scrutinize their ‘wp-cron.php’ and ‘header.php’ information for sudden additions or modifications.
Entry logs containing ’emergency_login,’ ‘check_plugin,’ ‘urlchange,’ and ‘key’ also needs to function pink flags, warranting additional investigation.
Primarily based on an evaluation of 14M malicious actions, uncover the highest 10 MITRE ATT&CK strategies behind 93% of assaults and the way to defend in opposition to them.
