Imunify360 Blog

Fake and malicious Wordpress Plugins

Written by Krithika Rajendran | Apr 22, 2021 12:08:22 PM

Today websites are essential for business and operations. To make web design more efficient with added website functionality, web designers use various Plugins. Plugins are the building blocks of a website - they are the little programs that perform a definitive task - based on the needs and personalized requirements of the website owner. It is a lot like providing additional add-ons to the website. Additionally, check our WordPress Security Ultimate Guide for 2021 to learn more about WordPress Security.


As of writing this article, there are more than 52,000 plugins on the market. There are free to use and commercial plugins available from third-party companies and developers. There are also Nulled Plugins which are pirated copies of legitimate versions of different premium plugins, nulled plugins act as a backdoor for many harmful activities. In this article, Krithika Rajendran, malware analyst at Imunify Security will go over the behavior of wp-sleeps and will tell more how to keep your servers protected.

Close-up of wp-sleeps plugin behavior

So, with the following example, let’s have look at what malicious behavior looks like:

Picture 1: Example of malicious injected code

Recently we came across this malicious fake plugin that paves the way for several  malicious activities on the victim's website. Here, for example, someone installed the  Wp-sleeeps plugin which redirects users to scam sites. See Picture  2: When we decode the malicious parts presented above, there is an evident record of redirecting to some malicious websit

Picture 2: Decoded Malicious Part

Not only does it contain a redirect to malicious websites, but it also infects the DB. Additionally, the wp_options table indicates the nulled plugin changes the Site_URL and Home URL to this malicious “lovegreenpencils” domain (Picture 2).   It also infects all the core PHP and JS files and appends many malicious backdoors into the main core files. Check Picture 3 for reference.

Picture 3: Backdoor Infected Sample

Some of the files had the comment //scp-173 as well as echo 'I love you,how about you'; When we decoded this information, we found this malicious backdoor was added into WP core files.

Let’s look into how all these malicious actors get inside and reach the DB. It all becomes possible because of the nulled plugin. The wp-sleeeps plugin creates a downloader called lte_/lt_.

Picture 4: Sample lte_/lt_ downloader

The lte_ program downloads a linux binary, which then loads it into the memory used to inject .js files. Then it inserts its own js code into the first few lines of all js files. Notice the file’s location athttp://95.181.172.35/7767/oyuiuyio, plus the lt_/lte_ file stays inside the memory.

Additionally, the attacker calls another similar plugin - “wp-zzzwhich performs the same set of activities

Picture 5: Another similar example of nulled plugin

It redirects to a malicious website (https://port.transandfiestas.ga/js.php?from=l&sid=346) and sends the  same lte_ file is via the  request parameter ‘a’.

But the process doesn’t stop here. Further infection comes from  the malicious Plug_X malware. PlugX is a fully featured Remote Access Tool/Trojan (RAT) used as a backdoor to fully control the victim's system. It has the capabilities such as file upload, download, and modification, keystroke logging, webcam control, and access to a remote cmd.exe shell.

Picture 6: Plug_X malware

The plugX malware comes with 13 default plugins that  create processes. Previously, cybercriminals paired plugX with another common RAT called Poison Ivy that would inject the initial DLL files into the .exe process on the target host. However, Plugx evolved by adding  several new mechanisms that avoid security controls and detection. It downloads and executes the code via a VB script. After that, the backdoor gathers initial information on the target machine’s disk, running processes, Windows OS version, and user privileges. Then it attempts to reach out to the command and control server (C&C).

  • To date, the Wp-sleeep plugin performs the following malicious activities: redirect to a malicious domain.
  • accessed the database and spammed it.
  • installed the plugins like wp-zzz in each and every wordpress reachable.
  • installed itself even in zip and tar files (lte_/lt_).
  • malicious RAT got installed to the system.

How to keep your server protected from malicious plugins

Avoiding  this type of malware requires users always follow these steps:

  • Install plugins  from only trusted source/developer’s site: It is always recommended users install plugins/themes from only  trusted Plugin’s website/plugin developer,not from  random websites.
  • Be aware of free plugins: Malicious/Fake plugins often disguise themselves as free versions of premium plugins. Check before installing. 
  • Update the installed plugins on the regular basis: Make sure that plugins running are updated/recent versions. Check whether installed plugins cover the latest security updates.
  • Uninstall unused/unwanted plugins: It’s best to remove the unwanted plugins, rather than disabling them. Even disabled plugins  leave their vulnerabilities behind.
  • Change  passwords: Change  passwords frequently for wordpress admins and cPanel accounts and audit the admin users if required. Remove inactive accounts.
  • Disable file editing: To avoid gaining access to the admin account, disable editing administrative users to edit PHP files of plugins and themes.
  • Along with taking the above steps, we recommend using Imunify360:
          • It cleans out the malware and protects from bot logins.
          • It helps users with both malware detection and cleaning features along with securing from zero day threats and various other real time threats.
          • With our Proactive Defence, malware is easily identified. It analyzes the PHP script behavior and prevents it from causing any harm to the server.
          • It detects the hidden malicious code which may be  obfuscated, injected in the middle of the legitimate file. It finds the attack pattern and works accordingly. 
          • Imunify360 stops most web application attacks before they even start.
          • A defined set of rules helps identify and block malicious attacks.
          • More than that it is very easy to identify whether a concerned domain is blacklisted or mapped as malicious in any other AVs.
          • Keeps your website free from hacks and blacklists.

So, we recommend the installation of Imunify360 which provides complete security to your web servers. Try Imunify360 Security suite for free for 14-days and forget about malware on your website and web-servers.