Over 5000 WordPress Sites Infected in Global Malware Campaign

A widespread malware campaign has been uncovered targeting over 5,000 WordPress websites globally. The campaign, traced back to the malicious domain https://wp3[.]xyz, has been actively exploiting vulnerabilities in WordPress websites to create unauthorized admin accounts, deploy malicious plugins, and exfiltrate sensitive data, according to a report by Himanshu Anand, a security researcher at c/side, a cybersecurity firm.The attack utilizes a script hosted on the domain https://wp3[.]xyz/td.js to infiltrate WordPress sites. The script fetches a Cross-Site Request Forgery (CSRF) token to create an admin user account with hardcoded credentials:

Username: wpx_admin Password: [REDACTED]

Once the malicious admin account is created, the script installs a plugin downloaded from https://wp3.xyz/plugin[.]php. This plugin activates itself and communicates with a command-and-control (C2) server, exfiltrating data such as admin credentials and operation logs via obfuscated image requests.

"WP3.XYZ is a malicious domain used for exfiltrating sensitive data, including admin credentials and operation statuses, while serving as a source for downloading malicious WordPress plugins to compromise targeted websites," Anand explains in the report.

The attack unfolds in a structured sequence. First, the script automates user creation using the CSRF token obtained from the WordPress admin panel. It sends a POST request to set up the wpx_admin account, logging the operation's status. Subsequently, the script fetches the plugin installation page, retrieves another CSRF token, and uploads the plugin fetched from the remote server.

Sensitive information is sent to https://wp3.xyz/tdw1[.]php using an image-based logging mechanism. This clever technique avoids raising alarms in standard security tools. The script performs a final check to ensure the malicious payload is successfully installed by scanning for references to wp3.xyz within the infected website.

To identify compromised sites, c/side recommends using tools like PublicWWW and URLScan. Site owners are urged to take immediate steps to protect their platforms. This includes blocking the domain https://wp3[.]xyz using firewalls or security tools, auditing admin accounts for unauthorized users, removing suspicious plugins, and enhancing security measures.

Experts recommend strengthening CSRF protections and implementing multi-factor authentication (MFA) to mitigate such attacks. "Check your site now to remove any unauthorized admin accounts and remove any unused plugins or themes," the report emphasizes.

The sophistication of this attack highlights the ongoing challenges in WordPress security and the importance of vigilant monitoring and proactive security practices for website administrators.

Found this article interesting? Keep visit thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive tips like this. 

You may also like these articles: Here are the 5 most contextually relevant blog posts: