A new malware campaign has compromised more than 5,000 WordPress sites to create admin accounts, install a malicious plugin, and steal data.
Researchers at webscript security company c/side discovered during an incident response engagement for one of their clients that the malicious activity uses the wp3[.]xyz domain to exfiltrate data but have yet to determine the initial infection vector.
After compromising a target, a malicious script loaded from the wp3[.]xyz domain creates the rogue admin account wpx_admin with credentials available in the code.
Source: c/side
The script then proceeds to install a malicious plugin (plugin.php) downloaded from the same domain, and activates it on the compromised website.
According to c/cide, the purpose of the plugin is to collect sensitive data, like administrator credentials and logs, and send it to the attacker’s server in an obfuscated way that makes it appear as an image request.
The attack also involves several verification steps, such as logging the status of the operation after the creation of the rogue admin account and verifying the installation of the malicious plugin.
Blocking the attacks
c/side recommends that website owners block the ‘wp3[.]xyz’ domain using firewalls and security tools.
Moreover, admins should review other privileged accounts and the list of installed plugins, to identify unauthorized activity, and remove them as soon as possible.
Finally, it is recommended that CSRF protections on WordPress sites be strengthened via unique token generation, server-side validation, and periodic regeneration. Tokens should have a short expiration time to limit their validity period.
Implementing multi-factor authentication also adds protection to accounts with credentials that have already been compromised.
