Hundreds of WordPress sites infected by recently discovered backdoor

According to a writeup published last week, there are hundreds if not thousands of websites that have been affected by a piece of malicious software that exploits unpatched vulnerabilities.

Researchers from security firm Dr.Web said that the Linux-based software installs a back door that leads to malicious websites. It's installed by exploiting already-patched vulnerabilities that website owners use to add live chat or metrics reporting to the coreWordPress content management system.

Dr.Web researchers said that if websites use outdated versions of add-ons, they are injected with malicious JavaScripts. Users are diverted to other sites when they click on an attacked page.

More than 1,300 sites contain the Javascript that powers the back door, according to this one search. It is1-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-6556 is1-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-65561-6556 It shows the reach of the software.

The software that was used to exploit:

  • WP Live Chat Support Plugin
  • WordPress – Yuzo Related Posts
  • Yellow Pencil Visual Theme Customizer Plugin
  • Easysmtp
  • WP GDPR Compliance Plugin
  • Newspaper Theme on WordPress Access Control (vulnerability CVE-2016-10972)
  • Thim Core
  • Google Code Inserter
  • Total Donations Plugin
  • Post Custom Templates Lite
  • WP Quick Booking Manager
  • Facebook Live Chat by Zotabox
  • Blog Designer WordPress Plugin
  • WordPress Ultimate FAQ (vulnerabilities CVE-2019-17232 and CVE-2019-17233)
  • WP-Matomo Integration (WP-Piwik)
  • WordPress ND Shortcodes For Visual Composer
  • WP Live Chat
  • Coming Soon Page and Maintenance Mode
  • Hybrid
  • Brizy WordPress Plugin
  • FV Flowplayer Video Player
  • WooCommerce
  • WordPress Coming Soon Page
  • WordPress theme OneTone
  • Simple Fields WordPress Plugin
  • WordPress Delucks SEO plugin
  • Poll, Survey, Form & Quiz Maker by OpinionStage
  • Social Metrics Tracker
  • WPeMatico RSS Feed Fetcher
  • Rich Reviews plugin
Advertisement

A malicious Javascript is downloaded from a remote server if one or more vulnerabilities are successfully exploited. When the page is loaded, this Javascript will be initiated first, regardless of the original contents of the page. Whenever users click anywhere on theinfecting page, they will be taken to the website the attackers need users to go to.

Links to a variety of malicious domains can be found in the Javascript.

lobbydesires[.]com letsmakeparty3[.]ga deliverygoodstrategies[.]com gabriellalovecats[.]com css[.]digestcolect[.]com clon[.]collectfasttracks[.]com

Count[.]trackstatisticsss[.]com