Once again, hackers have devised a new strategy to infect WordPress websites. This time, researchers have found them exploiting fake WordPress plugins mimicking UpdraftPlus. These plugins possessing backdoor functionality which also hide from the dashboard to evade detection.
Fake UpdraftPlus WordPress Plugins
A recent blog post by Sucuri has disclosed malicious plugins targeting WordPress sites. They have specifically found some fake UpdraftPlus plugins that infect WordPress sites to execute other malicious activities.
Specifically , the researchers noticed that the fake plugins with names initiatorseo or updrat123 mimic the functionality of the popular backup/restore WP plugin UpdraftPlus. Whereas, their metadata copies that of UpdraftPlus version 1.16.16 released in July this year.
Attackers are actively targeting WordPress websites via these fake plugins. What adds to their maliciousness is their ability to hide from the dashboard.
By default, the plugin hides itself in the WordPress dashboard from anyone who doesn’t use browsers with specific User-Agent strings. These strings vary from plugin to plugin.
Nonetheless, the plugins can still signal their presence to the attackers.
The plugin can also report its presence if attackers add a specific GET parameter to requests, such as initiationactivity or testingkey.
Plugins Serving As Backdoor
According to the researchers, these fake plugins serve as a backdoor for the attackers to facilitate them in gaining control of the web server. Exploiting these plugins can allow hackers to upload arbitrary files to the affected websites.
For this, they use POST requests that include information about the download location URL. The POST parameters are unique for every plugin, and also specify the file name and path to write the files.
During their analysis, researchers found attackers using the backdoor to upload web shells at random locations. Furthermore, they also used the backdoor to upload files with arbitrary file names to site root directories, which they could further exploit for brute force attacks on other websites.
WordPress plugins have long been a route for attackers to target various websites. Therefore, prior to setting up a WordPress site, it is imperative for the owner to familiarise themselves with the possible security threats to the site and the ways to fend off such attacks.
Let us know your thoughts in the comments.