<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-5HLVVHN" height="0" width="0" style="display:none;visibility:hidden">

“Malicious Checker” WordPress Plugin with Malware

Aug 26, 2020 3:00:00 PM / by Naveen Velusamy

 

IMUNIFY360_MALWARE_Websites

 

As part of Imunify360’s proactive malware research activities, we recently identified that a plugin named Malicious Checker from WordPress repository, which can be used to identify malware in web servers, indeed had active malware inside one of the plugin’s source files.

We first identified the presence of malware in the plugin in July, 2020. Upon checking, we have found that the malicious file has been present in the plugin for four years with filename example_01.php.

 

 

The Malicious code was a classic “include type malware” which utilises obfuscation to hide code behind comments and calls out for the actual malware, which is sitting elsewhere in the server.

 

 

After removing unnecessary comments that are being used to hide the malware dropper, the code looks like this:

 

Our Team is not sure if this malware file was dropped into the plugin repository by accident or if it was planted there on purpose, but it’s typical to note that it’s a guideline violation of WordPress plugin policy. Even though files are not dropped there intentionally, it is still possible for other parties to utilise this script present in the plugin core files to exploit it in a remote chance.

We have identified this malware code presence using our already existing signature SMW-INJ-03786-bkdr.inj, which has already been protecting Imunify360 customers against these types of malware for years.

We reported this to the WordPress security team on July 6th of 2020. Since then, the plugin has been closed temporarily by the WordPress team for guideline violations until this issue is resolved by the developer of the plugin.

 

 

If you or some of your end customers used this plugin, then proceed to the regular malware clean-up procedure and that would be enough to keep your server safe.

 

Please Share Your Feedback

 

 The Imunify product team would like to hear from you. To share your ideas and observations on vulnerabilities like the one described above, please send them to us at feedback@cloudlinux.com.

If you have questions on how to use Imunify360, or you’d like to resolve a support issue, please contact the Imunify360 support team at cloudlinux.zendesk.com.

 

Topics: Imunify360, Antivirus, Advice, WordPress

Naveen Velusamy

Written by Naveen Velusamy

Naveen is a Malware Analyst in the Imunify360 antivirus team, researching and investigating malware samples and trends on day-by-day basis. He is a web security researcher, bug hunter, CTF lover and cryptocurrency enthusiast. He also loves gaming and killing time by counting stars.

    Subscribe to Email Updates

    Ready to try Imunify?

    30-DAY TRIAL

    Recent Posts