After adding the malicious code to our Threat Intelligence Database and examining it, we quickly discovered that several other plugins were also affected.
We will begin with the Blaze Widget plugin which saw the largest amount of activity in terms of code commits and was also the first one to be modified by the malicious threat actor(s).
The code adds an action to the upgrader process complete hook provided by WordPress.
The presence of non-functional and/or poorly refactored code along with lack of code reuse suggest the use of AI to generate the code bits.
On June 22, 2024 at 02:20:44 AM further malicious code changes were committed to the plugin.
What makes this code the most interesting is that instead of stealthily using native WordPress core functionality to perform all of these actions, the threat actor(s) opted to fetch the configuration data and then issue SQL queries to perform all of the actions.
It contains code to parse the configuration file of the WordPress installation and performs a connection check.
Note how the function previously used to generate a random password was not reused, but instead its code is simply pasted into this function.
While some of the functionality targets WordPress in particular, the malware also provides code to look for other content management systems.
While the code that obtains the user count for WordPress installations appears to be properly implemented, the functions provided to count users in various CMSes are not actually complete and return zero.
While it's not entirely clear why the attacker may have completely swapped out their old code for new code, it could be that they wanted to gain an initial foothold and persistence with the admin account creation and then inject malware to generate revenue.
Interestingly, the malware does appear to contain code that ensures the php file validates after the injection.
After we notified the WordPress Plugins Team on their Slack channel and via email, user frantorres reacted quickly and removed the malicious code from this plugin on June 24, 2024 at 04:34:22 PM. Shortly thereafter another release was prepared that added an incident response notice to the affected plugin explaining that an administrative user might have been created and that their password may have been sent to a third party.
Code commits for Social Warfare began on June 22, 2024 at 04:15:22 AM and contained the bulk of the malicious PHP code discussed above while the cryptomining JavaScript code was added in the afternoon at 01:28:34 PM. The WordPress Plugins Team reverted those changes on June 23, 2024 at 04:55:29 PM and at 06:30:27 PM committed a version that contains code which changes the passwords of malicious users identical to the fix applied to the Blaze Widget.
The first modification to this plugin was made on June 24, 2024 at 02:42:32 AM when both the malicious PHP code and JavaScript code discussed above were added.
The WordPress Plugins Team intervened at 03:58:06 PM and rolled back to previous code while tagging a new release.
The malicious code was added on June 24, 2024 at 02:47:37 AM. This includes the PHP and JavaScript code.
At 04:09:13 PM the WordPress Plugins Team removed the malicious code in version 1.0.6 and issued version 1.0.7 at 04:25:55 PM, which contains the admin password reset code.
A full removal occurred on June 24, 2024 at 03:44:39 PM, when the WordPress Plugins Team removed the offending code.
In today's blog post, we went into further details on the malware added to five repository plugins during a recent supply chain attack, along with the timeline of events.
This Cyber News was published on www.wordfence.com. Publication date: Thu, 27 Jun 2024 20:13:05 +0000