A new and highly deceptive cybersecurity threat has emerged targeting WordPress websites. Cybercriminals have developed a fake WordPress security plugin that not only pretends to protect websites but in reality, grants attackers remote administrative access.
How the Attack Works
The fake WordPress security plugin masquerades as a legitimate security tool. One of the known malicious files is named WP-antymalwary-bot.php. This file acts as the core backdoor, granting remote admin access and hiding its presence from the WordPress admin dashboard. Attackers leverage the WordPress REST API to execute arbitrary PHP code remotely.
Once installed, the plugin does the following:
- Creates Hidden Admin Accounts: It establishes unauthorized admin-level users, such as one named wpsecuritypatch, giving attackers ongoing access.
- Installs Web Shells: These allow remote execution of malicious code and control over the compromised site.
- Modifies Core Files: Alters essential WordPress files, including wp-config.php and wp-cron.php, to ensure persistence and hide the malware.
- Uses CAPTCHA Traps: In some campaigns, the plugin injects CAPTCHA verifications that appear legitimate but are used to deploy further backdoors based on Node.js.
Malicious Capabilities
The fake plugin looks quite sophisticated and enables several harmful activities:
- Data Theft: Sensitive information such as login credentials and payment data is exfiltrated through methods like disguised PHP scripts posing as image files.
- Ad Monetization Abuse: Some versions inject unauthorized Google AdSense code to hijack advertising revenue.
- Stealth & Persistence: The malware may use reverse proxies and other methods to hide its activity and maintain long-term access.
Signs of Infection
WordPress site owners should be on alert for the following indicators of compromise:
- Unrecognized admin accounts appearing suddenly.
- Installation of unknown or suspicious plugins.
- Unexpected edits to core WordPress files.
- Unusual traffic patterns or outbound connections to obscure domains.
Recommended Actions
To secure affected websites and prevent future breaches, follow these steps:
- Audit Your Plugins: Immediately review all installed plugins and remove any unfamiliar ones.
- Change Passwords: Update all administrator credentials and enable two-factor authentication.
- Run Security Scans: Use trusted tools like Wordfence or Sucuri to detect and eliminate malware.
- Restore from Backup: If possible, revert your site to a clean state from a pre-infection backup.
- Monitor Your Site: Keep an eye on logs and traffic for recurring suspicious activity.
Final Thoughts
Cybercriminals continue to evolve their tactics, and this fake WordPress security plugin is a stark reminder of the importance of vigilant website maintenance and proactive security. Staying informed and regularly auditing your site is key to protecting it from such threats.
