Carding 4 Carders
Professional
- Messages
- 2,724
- Reaction score
- 1,588
- Points
- 113
Now you need to carefully monitor how your site looks through the user's eyes.
Defiant specialists have discovered a new malware that disguises itself as a legitimate caching plugin and infects WordPress sites, allowing attackers to create an administrator account and monitor site activity.
Malware is a backdoor with many functions that allow you to manage plugins and hide on infected sites, replace content, or redirect certain users to malicious resources.
Defiant, the developer of the Wordfence security plugin for WordPress, discovered the malware code in July during a site cleanup. Upon closer examination of the backdoor, the researchers noticed that at the beginning of the code is a "professionally executed introductory comment" that mimics a caching tool that usually helps reduce server load and improve page loading time.
Masquerading as such a tool seems deliberate – this is how cybercriminals ensured the" invisibility " of the backdoor during manual verification. The malicious plugin is also configured to exclude itself from the list of "active plugins" to avoid detection.
Malware has the following features:
Malware features provide hackers with everything they need to remotely manage and monetize an infected site, which harms the site's SEO rating and user privacy. At the moment, Defiant does not provide details on the number of compromised sites, and researchers have not yet determined the initial access vector.
Note that typical site compromise methods include using stolen credentials, brute-forcing, or exploiting a vulnerability in an existing plugin or theme. Therefore, site owners should use strong and unique credentials for administrators ' accounts, update plugins, and delete unused add-ons and inactive users.
Defiant specialists have discovered a new malware that disguises itself as a legitimate caching plugin and infects WordPress sites, allowing attackers to create an administrator account and monitor site activity.
Malware is a backdoor with many functions that allow you to manage plugins and hide on infected sites, replace content, or redirect certain users to malicious resources.
Defiant, the developer of the Wordfence security plugin for WordPress, discovered the malware code in July during a site cleanup. Upon closer examination of the backdoor, the researchers noticed that at the beginning of the code is a "professionally executed introductory comment" that mimics a caching tool that usually helps reduce server load and improve page loading time.
Masquerading as such a tool seems deliberate – this is how cybercriminals ensured the" invisibility " of the backdoor during manual verification. The malicious plugin is also configured to exclude itself from the list of "active plugins" to avoid detection.
Malware has the following features:
- Create users – This function creates a user named "superadmin" with a hard-coded password and administrator rights, while the second function can delete this user to erase any traces of infection.
- Creating a fake administrator on the site.
- Bot detection – when users are identified as bots (for example, search robots), malicious code provides them with other content, such as spam, which leads to indexing of the infected site with malicious content.
- Content replacement-Malicious code can change the content and content of pages by inserting spam links or buttons. At the same time, site administrators are shown the original, unchanged content to hide the fact of compromise.
- Plugin Management-Malware operators can remotely activate or deactivate custom WordPress plugins on an infected site, as well as clear their traces in the site's database.
- Remote Call-The backdoor checks certain useragent strings, allowing attackers to remotely activate various malicious functions.
Malware features provide hackers with everything they need to remotely manage and monetize an infected site, which harms the site's SEO rating and user privacy. At the moment, Defiant does not provide details on the number of compromised sites, and researchers have not yet determined the initial access vector.
Note that typical site compromise methods include using stolen credentials, brute-forcing, or exploiting a vulnerability in an existing plugin or theme. Therefore, site owners should use strong and unique credentials for administrators ' accounts, update plugins, and delete unused add-ons and inactive users.
