Table of Contents
Discovery of the Backdoor Malware by Defiant
Security analysts from Defiant, creators of the Wordfence security plugin for WordPress, detected an unfamiliar malware during a website cleanup in July. The newly discovered malware presented a sophisticated threat with features designed to stealthily infiltrate and compromise WordPress sites, while masquerading as a legitimate plugin.
Operating Environments of the Malware
The backdoor malware was specifically structured to function in a WordPress milieu, having unrestricted access to the various plugins available on the site. This versatile attribute allows it to operate discreetly and manipulate site operations without getting noticed.
Mimicking a Legitimate Caching Plugin
One strategic method the malware utilised to evade detection was the disguise as a professional caching plugin. Caching plugins usually reduce server strain and improve page load times. Imitating such a tool was a deliberate move to remain inconspicuous during manual inspections.
Ability to Hide in Activated Plugins List
The deceptive malware also had the functionality to exclude itself from the list of “active plugins”, providing yet another layer of camouflage to evade scrutiny. This feature made it even more difficult to identify and isolate the malware, thereby amplifying the threat it posed to WordPress websites.
Functionality and Features of the Backdoor Malware
The backdoor malware found on WordPress websites demonstrated some unique and dangerous features. These features allowed it to function as more than just a simple plugin; it also operated as a standalone script with broad manipulative capabilities.
Creation of Administrator Access
One of the significant functionalities of the malware was its ability to create an administrator account. This feature allowed threat actors to gain administrative access to the compromised website. Consequently, threat actors gained an unhindered pathway to control the website's activity, further compromising its security and functionality.
Manipulation of Other Plugins
The malware wasn't just proficient in creating a rogue admin account. Its capabilities also extended to the ability to remotely activate and deactivate other plugins on the compromised website. This function provided an additional layer of control, allowing the malware to alter the website's features and services according to the attacker's preferences.
Pinging Feature for Functionality Confirmation
A distinctive feature of the malware was its built-in pinging capability. This feature allowed threat actors to periodically confirm that the malware was functioning as expected on the compromised website. This reassurance encouraged the continuous exploitation of the site, making the malware a robust and persistent security threat.
Deception Techniques and Delivery of Malicious Content
The backdoor malware exhibited not only advanced operational capabilities but also sophisticated deception techniques. Its ability to deliver malicious content discreetly and effectively made it a formidable security threat.
Bot Detection and Content Delivery
The malware was equipped with a unique bot detection function. This function strategically served different content to different users based on specific filters. For instance, when visitors were identified as bots like search engine crawlers, the malware would serve them malicious content, typically spam. This lead to these bots indexing the compromised site for this dangerous content.
Manipulation of Search Engine Traffic
By targeting search engines, the malware succeeded in manipulating the indexing process to drive more traffic to the compromised website. This tactic yielded spam-based traffic, causing website administrators to observe a sudden increase in visitor numbers. It also resulted in user complaints about being redirected to malicious sites.
Admin Checks and Content Delivery
In another tactical move, the malware included a function to perform admin checks. If the user was identified as an administrator, the malware would serve an unmodified version of the website, effectively disguising its presence and delaying the discovery of the compromise.
Insertion of Spam on Web Pages
Apart from these, the malware also had the capability to meddle with website content. It could alter posts and pages by inserting spam links or buttons. The covert technique provided yet another channel for spreading the malicious content, reinforcing the compromised site's role as an unwilling participant in its dangerous schemes.
Removal and Remote Control Functions of the Malware
The backdoor malware was not just designed for infiltration and control; it also had capabilities catered towards its own cleanup and remote control after initiating cleanup.
Cleanup Functions of the Malware
The malware was equipped with orderly cleanup functions. It could remove the malicious content and administrator users it had previously created. This feature allowed for an efficient cleanup of the visible damages caused by the malware, making it even harder to detect and trace its operations.
Continued Control after Cleanup
Even after this supposed cleanup, the malware continued to remotely control and monetize the victim websites. Unlike some other types of malware that cease operation after cleanup, this backdoor malware had a persistent presence, maintaining control on the compromised sites to further their ill-intentioned cause.
Remote Manipulation Features
Marrying sophistication with precision, the malware was also designed with specific functions to facilitate remote manipulation of infected websites. The attackers could invoke various malicious activities remotely, putting the victim sites under their unyielding control and exploitation. This further magnifies the threat the malware poses to WordPress websites, emphasizing the importance of robust cybersecurity practices for website protection.
