A new sophisticated malware campaign targeting WordPress websites has been uncovered by security researchers at Sucuri. The attack exploits vulnerabilities in the mu-plugins directory, which is designed for “must-use” plugins that load automatically on WordPress sites. The attackers plant a malicious PHP file in this directory, which decodes and executes payloads stored elsewhere on the site, enabling remote code execution. Once the malware is in place, it allows full server compromise, data theft, and persistent control over the infected website.
The malware campaign’s second-stage payload incorporates advanced features, including server communication and the manipulation of the robots.txt file. The malware communicates with attacker-controlled servers while masking its presence and checking for security tools that might detect it. Additionally, it creates fake sitemaps in the robots.txt file to support malicious SEO campaigns, further enhancing the attacker’s control over the infected site.
These tactics reflect the evolving complexity of modern malware campaigns and their potential for long-term persistence.
Advanced persistence mechanisms are also a key component of this attack. One such mechanism involves the use of AES-128-CBC encryption to deliver encrypted payloads. The attackers utilize a second backdoor, which decrypts the commands using a secret key, evading signature-based detection systems. This encryption helps the malware avoid detection by traditional security measures, allowing it to continue its operations undetected over an extended period.
To mitigate the risk of such attacks, website owners are urged to implement a range of security measures. These include enforcing file integrity monitoring, blocking PHP execution in upload directories, resetting all credentials (admin, FTP, and database), and deploying web application firewalls. Additionally, real-time malware scans and regular updates to WordPress components are crucial for preventing these types of infections, as the majority of attacks are due to outdated or vulnerable components.
