<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-5HLVVHN" height="0" width="0" style="display:none;visibility:hidden">

Imunify To The Rescue: Our Operations Team Eliminates A Malicious Plugin

May 13, 2020 2:05:26 PM / by Andrey Kucherov




Last week the Imunify360 Operations Team spotted some malware embedded in a WordPress plugin. On Thursday, they reported it to the WordPress Plugin Review Team, who closed that plugin the very next day. 

We’d like to share with you what our Operations Team saw, so you know more about how malicious plugins work, and how you can avoid them. 


The Latest In A Series


The malicious plugin we eliminated is called custom-one-click-seo-sitemap: 


pasted image 0 (25)

It’s the latest in a series of plugins that contain the same malicious code. They were all created by the same author, and were all uploaded to the WordPress catalogue in the past year: 

Html-in-url-permalink (closed 15 May 2019)

Disable-revisions-for-all-post-types (closed 4 July 2019)

Custom-url (closed 7 July 2019)

Custom-one-click-seo-sitemap (closed 30 April 2020)

Post-type-pagination (closed 30 April 2020)


You’ll notice that the last plugin in that series was closed by the WordPress security team on the same day they closed the one we identified. This suggests that the WordPress team looked for plugins that contain this malware, then closed all that have it.


How Does It Work?


Our Operations Team determined that the custom-one-click-seo-sitemap plugin was infected with a malicious backdoor dropper. They looked at the code of the index.php file at https://plugins.trac.wordpress.org/browser/custom-one-click-seo-sitemap/trunk/index.php, and saw it calling a suspicious file, plugin.html


pasted image 0 (26)


This second file, plugin.html, is purely malicious--it drops spyware into WordPress from a remote location. When the plugin is installed, it uses plugin.html to send an email to the attacker, then drops a backdoor injector into the wp-crons.php file. 

When the attacker receives the email notifying him that the plugin has been installed, he can then inject additional malware into the WordPress installation. 


Please Stay In Touch


The Imunify product team would like to hear from you. To share your ideas and observations on malware like that described above, please send them to us at feedback@cloudlinux.com.


Topics: Imunify360, Advice, WordPress

Andrey Kucherov

Written by Andrey Kucherov

Andrey Kucherov is researching new malware samples and backing signatures in his role as Malware Analyst in the Imunify360 antivirus team. He is an online security enthusiast, always ready to learn something new and share his knowledge. When away from the keyboard, he likes to travel, and is fond of reading deeply philosophical books.

    Subscribe to Email Updates

    Ready to try Imunify?

    30-DAY TRIAL

    Recent Posts