5,000 WordPress Sites Hacked in New WP3.XYZ Malware Attack

Widespread malware campaigns detected by side crawlers exploit vulnerabilities on multiple websites where the intrusion method remains under investigation, with no common entry point identified. 

A malicious script creates unauthorized administrator accounts with the credentials ‘wpx_admin’ and a hardcoded password.

Subsequently, it downloads and activates a malicious WordPress plugin, compromising the website and enabling the exfiltration of sensitive data to a remote server.”

The `createUser` function attempts to create a new user with the username “wpx_admin” and a hardcoded password within a WordPress environment. 

It first retrieves the CSRF token from the user creation page, and then it constructs a POST request with the user credentials and the CSRF token. The function logs the success or failure of the user creation operation.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

It downloads a plugin from a remote server activates it on the compromised website and then exfiltrates sensitive information, including admin credentials and operation logs, by sending them to another server via obfuscated image requests. 

By leveraging JSON to structure, it exfiltrated data and included additional information such as the victim’s website URL, timestamp, and user agent for better identification. 

In case the initial transmission attempt fails, the script implements a backoff retry mechanism to ensure successful exfiltration.

The attacker exploits admin access to upload a malicious plugin. First, the script retrieves the CSRF token from the WordPress plugin upload page. Subsequently, it downloads the malicious plugin file from a remote server. 

According to C/Side, using the acquired CSRF token, the script submits the downloaded malicious plugin file to the WordPress site for installation effectively compromises the website.

The script fetches a plugin from an external source and injects it into the victim’s website via a POST request to the `/wp-admin/update.php?action=upload-plugin` endpoint. To bypass security measures, the script retrieves a security token from the victim’s website using an initial GET request.

It fetches the website’s HTML content using the fetch API with credentials set to ‘include’ to access session cookies and then checks the fetched content for the presence of a string ‘wp3.xyz’ which indicates a malicious plugin installation. 

If found, a success message with a ‘Payload verified’ message is sent using the sendLog function. Otherwise, a failure message with a ‘Payload not found’ message is sent. 

The assumption that the malicious plugin injects a reference to its control server ‘wp3.xyz’ into the content of the website is the foundation upon which this verification technique is supported.

An attack was mitigated by blocking the malicious domain https://wp3[.]xyz on firewalls and auditing WordPress admin accounts for unauthorized users while suspicious plugins were removed and existing ones were validated.