22/68 Thursday, January 16, 2025
A new malware campaign has compromised more than 5,000 WordPress websites, creating fake admin accounts, installing malicious plugins, and stealing sensitive information. Researchers from the cybersecurity firm c/side discovered that the malware uses the domain wp3[.]xyz to exfiltrate data to the attackers’ server. After successfully breaching a system, the malicious script creates an admin account named “wpx_admin” with a hardcoded password. It then installs a plugin named plugin.php, which collects data such as admin account credentials and activity logs, sending the information disguised as image requests to evade detection by security systems.
The malware includes a mechanism to verify the success of its attack, checking whether the account and plugin have been created and activated to systematically monitor the attack’s progress.
To mitigate the risk, c/side recommends blocking the domain wp3[.]xyz through firewalls and security tools, auditing admin accounts and installed plugins for suspicious activity, and enhancing CSRF (Cross-Site Request Forgery) protection by using short-lived server-side tokens. Additionally, enabling Multi-Factor Authentication (MFA) is advised to improve security.
Source https://www.bleepingcomputer.com/news/security/wp3xyz-malware-attacks-add-rogue-admins-to-5-000-plus-wordpress-sites/
