According to the researchers that uncovered the backdoor Linux virus, it has likely been in circulation for more than three years and exploits thirty or more plug-in vulnerabilities.
A recently discovered Trojan backdoor malware compromises WordPress-based websites by taking advantage of vulnerabilities in 30 separate plugins and themes. It only just to take advantage of one of these vulnerabilities to launch an attack.
Researchers from Doctor Web who discovered two iterations of the malware — dubbed Linux.BackDoor.WordPressExploit.1 and Linux.BackDoor.WordPressExploit.2 — said sites running outdated or unpatched versions of these WordPress tools are at risk of harboring malicious JavaScripts that redirect site visitors to nefarious websites, and should update those programs ASAP.
Malware that targets 32-bit versions of Linux and can also run on 64-bit versions of the platform has been around for a while, but here’s the scary part: “An analysis of an uncovered trojan application, performed by Doctor Web’s specialists, revealed that it could be the malicious tool that cybercriminals have been using for more than three years to carry out such attacks and monetize the resale of traffic, or arbitrage,” the researchers wrote.
The Trojan’s version 1 exploits a number of plugins and themes, including WP Live Chat Support, Yellow Pencil Visual Theme Customizer, Easysmtp, WP GDPR Compliance, Google Code Inserter, and the Blog Designer WordPress plugin. In addition to Brizy, FV Flowplayer, and WordPress Coming Soon, version 2 also makes use of Poll, Survey, Form, & Quiz Maker by OpinionStage and Social Metrics Tracker.
Cybercriminals frequently use WordPress add-ons and themes as a means to compromise websites and use them for malicious purposes such as phishing, ad fraud, and malware distribution. Flaws in security are very widespread. For instance, in December, an SSRF vulnerability was discovered in the Google Web Stories plugin, which might allow an attacker to steal metadata from WordPress sites hosted on an AWS server and possibly log in to a cloud instance to perform commands.