Last week the Imunify360 Operations Team spotted some malware embedded in a WordPress plugin. On Thursday, they reported it to the WordPress Plugin Review Team, who closed that plugin the very next day.
We’d like to share with you what our Operations Team saw, so you know more about how malicious plugins work, and how you can avoid them.
The Latest In A Series
The malicious plugin we eliminated is called custom-one-click-seo-sitemap:
It’s the latest in a series of plugins that contain the same malicious code. They were all created by the same author, and were all uploaded to the WordPress catalogue in the past year:
Html-in-url-permalink (closed 15 May 2019)
Disable-revisions-for-all-post-types (closed 4 July 2019)
Custom-url (closed 7 July 2019)
Custom-one-click-seo-sitemap (closed 30 April 2020)
Post-type-pagination (closed 30 April 2020)
You’ll notice that the last plugin in that series was closed by the WordPress security team on the same day they closed the one we identified. This suggests that the WordPress team looked for plugins that contain this malware, then closed all that have it.
How Does It Work?
Our Operations Team determined that the custom-one-click-seo-sitemap plugin was infected with a malicious backdoor dropper. They looked at the code of the index.php file at https://plugins.trac.wordpress.org/browser/custom-one-click-seo-sitemap/trunk/index.php, and saw it calling a suspicious file, plugin.html:
This second file, plugin.html, is purely malicious--it drops spyware into WordPress from a remote location. When the plugin is installed, it uses plugin.html to send an email to the attacker, then drops a backdoor injector into the wp-crons.php file.
When the attacker receives the email notifying him that the plugin has been installed, he can then inject additional malware into the WordPress installation.
Please Stay In Touch
The Imunify product team would like to hear from you. To share your ideas and observations on malware like that described above, please send them to us at email@example.com.