HQ/EMEAFind out how we can help your business
A newly discovered fake WordPress advisories campaign targets unsuspecting site owners and admins to infect them with a malicious backdoor plugin.
Based on reports, the attackers use a clever strategy that leverages deceptive emails posing as official WordPress notifications. The threat actors commonly use emails that raise alarms regarding a non-existent vulnerability called CVE-2023-45124.
These notifications claim that the vulnerability poses a severe risk to the admin’s site. Once the deceptive tactic tricks the target, it will instruct them to download and install a supposed update as a malicious plugin to fix the non-existent security flaw.
The fake WordPress advisories will redirect their targets to a fake landing page.
Once the target of the fake WordPress advisories clicks the ‘Download Plugin’ button, it will redirect them to a convincing fake landing page named ‘en-gb-wordpress[.]org.’ The attackers designed these pages to resemble the legitimate ‘wordpress.com’ site.
The deception continues as the fake plugin has an inflated download count of 500,000 and includes fabricated user reviews, with a mix of five-star ratings and lower ratings for added authenticity.
Subsequently, after the target installs the plugin, it will generate a concealed admin user named ‘wpsecuritypatch’. This plugin could transmit critical information about the victim to the attackers’ C2 server at ‘wpgate[.]zip.’ Furthermore, the plugin downloads a base64-encoded backdoor payload from the server, saving it as ‘wp-autoload.php’ in the website’s root directory.
Further investigations also confirmed that the backdoor has file management capabilities, a SQL client, a PHP console, and a command line terminal that provides its operators detailed insights into the compromised server environment. Alarmingly, the malicious plugin could adeptly hide itself from the list of installed plugins, which users could only locate through a manual search in the site’s root directory for removal.
While the operational objective of the backdoor remains unknown, security analysts speculate on potential malicious activities. These attackers might leverage the compromised sites for injecting ads, redirecting visitors, stealing sensitive information, or even resorting to extortion by threatening to expose the contents of the website’s database.
WordPress admins should remain vigilant and only rely on reputable sources for security advisories. Lastly, site owners should be critical of new website updates as threat actors use such features to conduct malicious activities.
