Malicious plugins that hide in plain sight and act as backdoors are used by attackers to gain and maintain a foothold on WordPress websites, and to upload web shells and scripts for brute-forcing other sites.

For instance, some of these fake plugins with backdoor functionality — named initiatorseo or updrat123 by their creators — were seen cloning the functionality of the highly popular backup/restore WordPress plugin UpdraftPlus, with a current active number of over two million installations.

“The metadata comments within these fake plugins include copies from version 1.16.16 of UpdraftPlus, which was released on July 23rd, 2019,” found researchers at web security and protection company Sucuri.

Such plugins can easily be created with the help of ready-made automated tools or by including malicious payloads such as web shells within the source code of legitimate ones.

Hiding from strangers

The malicious plugin does not show up when using the compromised website’s WordPress dashboard as it is designed to stay out of sight until someone who knows it’s there wonders around.

“By default, the plugin hides itself in the WordPress dashboard from anyone who doesn’t use browsers with specific User-Agent strings. These strings vary from plugin to plugin,” found the researchers.

The plugin will also announce its presence to the attackers if they query the website using a GET request with custom parameters such as initiationactivity or testingkey.

These fake plugins’ main purpose is to act as backdoors on the compromised WordPress websites and to provide the attackers with access to the servers even after the original infection vector was removed.

The hackers use the backdoors to upload arbitrary files for malicious purposes to the infected websites’ servers using POST requests.

These requests contain parameters with info on the download location URL, path where the files should be written, and the name under which the files should be dropped.

Sucuri observed the attackers dropping web shells — malicious scripts providing remote access to the server — in random locations on the compromised sites’ servers.

Brute-force scripts also dropped

Randomly named scripts have also been uploaded to the sites’ root directories to allow the attackers to launch brute-force attacks against other websites, making it a lot easier and faster to test huge lists of credentials against a targeted site’s login system.

“While none of the approaches used by this attack are new, it clearly demonstrates how cleaning only the visible parts of an infection is not enough,” conclude the Sucuri researchers. “Sometimes backdoors come in the form of WordPress plugins that might not even be visible from the admin interface.

“Additionally, compromised websites may be used for malicious activity that is completely invisible from outside, including DDoS and brute-force attacks, mailing tons of spam, or cryptomining.”

Sucuri’s research team also discovered another breed of fake plugins that not only provide attackers with a backdoor on compromised WordPress sites but also enable them to abuse their servers’ system resources to mine for Bitcoin cryptocurrency using a dedicated Linux binary with 64-bit and 32-bit variants.