The hackers use malicious plug-ins that hide in the clear view and serve as backdoors to obtain and maintain a foothold on WordPress websites and to upload web shells and scripts for brutalization on other pages.
For example, some of these fake backdoor plugins— called initiatorseo or updrat123 of its developers— have seen the very popular WordPress backup / restore plugin UpdraftPlus clone with more than two million installs currently being enabled.
“Including copies of version 1.16.16 of UpdraftPlus, which was released on 23 July 2019, the metadata comments of those fake plugins,” find researchers at Sucuri, internet security and protection company.
The use of programmed automated tools or malicious payloads, such as web shells within the source code of legitimate ones, could easily create these plugins.
Fake UpdraftPlus WordPress plugin
Hiding from strangers
The malicious plugin will not appear if you use the WordPress dashboard of the compromised website, as it is meant to remain out of reach until someone understands it will wonder.
“The plugin is automatically shielded from anyone who does not use plugins with specific User-Agent strings in the WordPress dashboard. Such strings differ from plugin to plugin,” the researchers have said.
In addition, if the attackers question the website via a GET request with specific parameters like initiation operation, or a testing button, the plugin will announce its presence.
The main purpose of these fake plugins is to act as backdoors on the infected websites and provide hackers access to the servers even after the original infection vector has been disabled.
File uploading functionality
Hackers use the backdoors to upload arbitrary files to databases of compromised websites using POST requests for malicious purposes.
Such requests contain parameters with data on the URL of the upload site, the file path and the name under which the files should be removed.
Sucuri observed web-based attackers— malicious scripts that provide remote database access — fall out in random locations on the servers on the affected pages.
Scripts of brute force have also fallen
Random scripts were also added to root directories of the websites so that attackers could begin brute attacks on other websites, making checking huge lists of credentials with a single website login system much easier and faster.
“Although none of the approaches used for this attack are novel, it clearly shows how cleaning only the visible portions of an infection is insufficient,” concluded Sucuri. “Often backdoors come as WordPress plugins that might not even be accessible through the admin interface.’
In addition, compromised web sites can be used for malicious activity that is totally unnoticed by the outside, like DDoS and brute force assaults, mailing loads of spam, or cryptomining.’