Posted on December 31, 2022 at 3:27 PM
Linux malware exploits 30 vulnerabilities
The details of this malware were revealed in a report by the Dr. Web antivirus vendor. The Linux malware targets the 32-bit and the 64-bit Linux system. It allows the malicious player to have the ability to run remote commands.
The malware operates like a trojan. The main goal behind the trojan is to gain unauthorized access to WordPress sites. The malware accesses these sites using multiple hardcoded exploits that have been run successively by the attackers. The attacker will run the exploits until one of them is successful.
The plugins and themes targeted in the exploit are WP Live Chat Support Plugin, WordPress-Yuzo Related Posts, Yellow Pencil Visual Theme Customizer Plugin, Easysmtp, WP GDPR Compliance Plugin, Newspaper Theme on WordPress Access Control, Thim Core, and Google Code Inserter.
The other targeted plugins are Total Donation Plugin, Post Custom Templates Lite, WP Quick Booking Manager, Facebook Lice Chat by Zotabox, Blog Designer WordPress Plugin, WordPress Ultimate FAQ, and WP-Matomo Integration. WordPress ND Shortcodes for Visual Composer, WP Live Chat, Coming Soon Page, Maintenance Mode, and Hybrid.
The infected pages will be used to redirect to a location that the hacker has selected. Therefore, this scheme is most effective on sites that have been abandoned. The redirection will also be used to run other campaigns, such as phishing attacks and distributing malware. The attacker can also run malvertising campaigns while avoiding detection and blockage.
The operators of this malware might also be extending the services to other cybercriminals that want to run malicious campaigns. This strategy allows the operators to extend the scope by which the malware operates.
Dr. Web also observed and detected an updated version of this payload in the wild. The payload targets multiple WordPress add-ons such as Brizy WordPress Plugin, FV FlowPlayer Video Player, WooCommerce, WordPress Coming Soon Page, WordPress theme OneTone, Simple Fields WordPress Plugin, WordPress Delucks SEO plugin, Poll survey Form & Quiz Maker by OpinionStage, Social Metrics Tracker, WPeMatico RSS Feed Fetcher and Rich Reviews plugin.
The fact that the updated version of the malware is targeting these add-ons shows this backdoor’s active development. The report by Dr. Web further noted that the two variants came with inactive functionality. However, this functionality would support brute-forcing attacks against the accounts of the website administrators.
The WordPress website administrators need to upgrade to the latest version and defend against the threat actors. Upgrading to the latest version of the themes and plugins running on the website and replacing the tools that are no longer under development with alternatives still being supported can also defend against the attacks.
The other alternative that the threat actors have to defend against these exploits is to use strong passwords and set up a two-factor authentication mechanism to protect against brute-force attacks.
WordPress gift card plugin exploited
This is not the first exploit detected on WordPress of late. Hackers have also been active in targeting a critical vulnerability in YITH WooCommerce Gift Cards Premium, a WordPress plugin that has been integrated in over 50,000 websites. Website operators use the plugin to sell gift cards in online stores.
The vulnerability is tracked as CVE-2022-45359. It allows unauthenticated hackers to upload files to the affected websites. This includes web shells that offer full access to this website.
The CVE-2022-45359 vulnerability was revealed to the public on November 22, 2022. The bug has affected all the plugin versions up to 3.19.0. The bug was solved through a security update version 3.20.0. The vendor also recently upgraded to version 3.21.0, and users are being advised to upgrade to this version.
However, it appears that the bug will continue to wreak havoc as many websites use an old version that was vulnerable to attacks. The hackers have also developed a working exploit to attack these sites. Therefore, defending against this attack depends on the upgrades made.