Malicious WordPress Plugin Masquerades as Security Tool, Grants Remote Access to Attackers

A newly discovered malware campaign is targeting WordPress websites by disguising a malicious plugin as a legitimate security tool. The plugin, named "WP-antymalwary-bot.php," provides attackers with unauthorized administrator access and the ability to execute remote code. 

Stealthy Features and Persistence Mechanisms

Once installed, the plugin employs several tactics to maintain its presence and avoid detection:

• Hidden Admin User: Creates a concealed administrator account named 'wpsecuritypatch' to ensure continued access.

• Backdoor Installation: Downloads a base64-encoded backdoor payload from a command-and-control server, saving it as 'wp-autoload.php' in the website's root directory.

• Advanced Capabilities: The backdoor includes file management tools, a SQL client, a PHP console, and a command-line terminal, providing attackers with extensive control over the compromised site.

• Plugin Concealment: Hides itself from the list of installed plugins, making manual inspection of the site's root directory necessary for detection and removal. 

Recommendations for Website Administrators

WordPress site administrators are advised to:

• Verify Plugin Sources: Only download plugins from trusted sources, such as the official WordPress Plugin Repository.

• Inspect for Unauthorized Users: Regularly check for unfamiliar administrator accounts, particularly one named 'wpsecuritypatch'.

• Scan for Hidden Files: Look for suspicious files in the site's root directory, including 'wp-autoload.php'.

• Maintain Updated Security Measures: Keep all plugins, themes, and the WordPress core updated to the latest versions, and employ reputable security plugins to monitor for unusual activity.