The recent revelation by the researchers of a website security firm, Sucuri, concerning the malicious plugins has shocked the crypto domain to the core. As per the research, the attackers employ the malicious plugins to facilitate a sneak peek into the WordPress websites for fulfilling their nefarious objectives and also to indulge in crypto mining.
As per the reports, some of the fraudulent plugins equipped with backdoor features and given names like ‘initiatorseo’ or ‘updrat123’ by their curators were observed seen counterfeiting the internal functional pedagogy of the compromised backup WordPress plugin UpdraftPlus. The plugin is quite popular in the market space, with over two million installations in the current time.
The researchers at Sucuri resolved that “The metadata comments within these fake plugins include copies from version 1.16.16 of UpdraftPlus, which was released on July 23rd, 2019.” These plugins are created easily by the creators with the help of ready-to-use automated resources or by adding corrupted payloads like web shells into the source code of the original versions.
One of the prominent features of such malevolent plugins is that they remain hidden to the users when they work on the affected website’s WordPress dashboard. These plugins are designed in a manner that they remain out of sight of the users.
By default, the plugin hides itself in the WordPress dashboard from anyone who doesn’t use browsers with specific User-Agent strings. These strings vary from plugin to plugin,
revealed the research.
These plugins work as intruders that attack the WordPress websites allowing the attackers full access to the servers even after the removal of the authentic infected vector. The plugin will signal the attackers if they send a GET request using attributes such as ‘initiationactivity’ or ‘testingkey.’ With the help of POST requests, the intruders infuse infected files into the infected websites’ server.
The attackers drop web shells, which are compromised scripts that help in providing them access to the server. Such scripts have been injected into the sites’ root directories. This fosters the attackers to conduct brute-force attacks against other websites.
“While none of the approaches used by this attack are new, it clearly demonstrates how cleaning only the visible parts of infection is not enough,” said the researchers. They added that “Sometimes backdoors come in the form of WordPress plugins that might not even be visible from the admin interface.”
The researchers concluded by saying that
Additionally, compromised websites may be used for malicious activity that is completely invisible from outside, including DDoS and brute-force attacks, mailing tons of spam, or crypto mining.