As part of Imunify360’s proactive malware research activities, we recently identified that a plugin named Malicious Checker from WordPress repository, which can be used to identify malware in web servers, indeed had active malware inside one of the plugin’s source files.
We first identified the presence of malware in the plugin in July, 2020. Upon checking, we have found that the malicious file has been present in the plugin for four years with filename example_01.php.
The Malicious code was a classic “include type malware” which utilises obfuscation to hide code behind comments and calls out for the actual malware, which is sitting elsewhere in the server.
After removing unnecessary comments that are being used to hide the malware dropper, the code looks like this:
Our Team is not sure if this malware file was dropped into the plugin repository by accident or if it was planted there on purpose, but it’s typical to note that it’s a guideline violation of WordPress plugin policy. Even though files are not dropped there intentionally, it is still possible for other parties to utilise this script present in the plugin core files to exploit it in a remote chance.
We have identified this malware code presence using our already existing signature SMW-INJ-03786-bkdr.inj, which has already been protecting Imunify360 customers against these types of malware for years.
We reported this to the WordPress security team on July 6th of 2020. Since then, the plugin has been closed temporarily by the WordPress team for guideline violations until this issue is resolved by the developer of the plugin.
If you or some of your end customers used this plugin, then proceed to the regular malware clean-up procedure and that would be enough to keep your server safe.
Please Share Your Feedback
The Imunify product team would like to hear from you. To share your ideas and observations on vulnerabilities like the one described above, please send them to us at email@example.com.
If you have questions on how to use Imunify360, or you’d like to resolve a support issue, please contact the Imunify360 support team at cloudlinux.zendesk.com.