- Sucuri researchers have found malware hiding in the Mu-Plugins repertoire
- Malware has redirected visitors, served spam and could even drop malware
- The sites have been compromised via vulnerable plugins, bad administrative passwords and more
A special repertoire in WordPress is abused to host a malicious code, said the researchers, warning that the code allows threats to remain persistent on vulnerable websites, while executing arbitrary code, redirecting people to malicious websites and by displaying spam and unwanted advertisements.
SUCURI researchers have discovered that threat actors hid the malicious code in “mu-plagins” (abbreviation of plugins for essential use), a repertoire that stores plugins that are automatically activated and cannot be deactivated via the administration panel.
These are generally used for essential functionalities of the site, personalized changes or performance optimizations that should always be executed.
Risks of execution of the remote code
“This approach represents a worrying trend, as mu-plagues are not listed in the standard WordPress plugin interface, which makes them less visible and easier to ignore for users during routine safety checks,” said Sucuri researchers.
Until now, the analysis has discovered three variants of malicious code-redirect.php (redirect visitors to malicious sites), index.php (Execution of remote code and capacities of malware) and personalized-woche.php (spam injects).
“The potential impact varies from minor disadvantages to severe security violations, stressing the importance of website security measures,” said Sucuri.
Discussing how the sites could have been infected, the researchers said that there were several ways to compromise a WordPress site. This includes the exploitation of a vulnerable plugin or a theme, compromised administration references or abuse of poorly secure accommodation environments.
To mitigate the risks, websites of websites should analyze their WP installation for malware (especially in the MU-Plugins directory), check the unauthorized administration accounts, installed plugins, update WordPress, plugins and themes, modify all administration passwords and configure 2FA if possible, and monitor the integrity of the files by setting up a security plugin.
WordPress is the best website manufacturer in the world, feeding most websites on the Internet. As such, the platform is constantly under a cyber attack dam.
Via The Hacker News
