HQ/EMEAFind out how we can help your business
The new WP3.XYZ malware campaign has infected at least 5,000 WordPress sites, terrorising numerous admins and site owners.
These campaigns have allowed threat actors to generate attacker-controlled admin accounts, install malicious plugins, and steal information. According to investigations, the malicious activity uses the ‘wp3.xyz’ domain to harvest data from infected sites.
However, the incident response has not identified the initial infection vector that the malware operators utilised to deploy the malicious payload on targeted WordPress domains.
On the other hand, a follow-up assessment of the attack claimed that the malicious script launched from the wp3.xyz domain could establish a rouge admin account after compromising a target. The credentials provided in the code also make establishing the malicious account possible.
The script then installs and activates a malicious plugin downloaded from the same domain into the compromised website.
The primary objective of the WP3.XYZ malware campaign is to harvest critical information.
Based on reports, the malicious plugin of the WP3.XYZ malware campaign will always try to steal sensitive data. Some details the plugin prioritises nabbing include admin credentials and logs.
The malware campaign will exfiltrate the stolen data to an attacker-controlled server in an obfuscated format that appears as an image request. The attack also includes verification stages, such as tracking the operation’s status after creating the rogue admin account and confirming the malicious plugin’s installation.
Researchers advise website owners and administrators to ban the ‘wp3[.] xyz’ domain with firewalls and security solutions. Furthermore, administrators should verify additional privileged accounts and the list of installed plugins for unauthorised activity and remove them as soon as possible.
WordPress sites should reinforce or strengthen CSRF defences with unique token generation, server-side validation, and regular regeneration. These tokens should have a short expiration period to limit their validity period, limiting the room for threat actors to execute their malicious operations.
These targeted sites should implement multi-factor authentication since it can protect accounts whose credentials have already been hacked. Therefore, WordPress owners must act immediately and adopt these countermeasures to avoid falling victim to the ongoing malware campaign.
