The Wordfence Threat Intelligence Team has recently been informed of a phishing campaign targeting WordPress users.
The Download Plugin link redirects the victim to a convincing fake landing page at en-gb-wordpress[.
It then sends the site URL and generated password for this user back to a C2 domain: wpgate[.
The malicious plugin also includes functionality to ensure that this user remains hidden.
It downloads a separate backdoor from wpgate[.
Zip and saves it with a filename of wp-autoload.php in the webroot.
This allows attackers to maintain persistence through multiple forms of access, granting them full control over the WordPress site as well as the web user account on the server.
In today's PSA, we warned of a phishing campaign targeting WordPress users intended to trick victims into installing a malicious backdoor plugin on their site.
Our telemetry indicates that no Wordfence users are currently infected, and we have added the malicious administrator user to our known malicious usernames.
We are currently in the process of testing malware signatures to detect both the malicious plugin and the separate backdoor, which will be released to Wordfence Premium, Wordfence Care, Wordfence Response, and paid Wordfence CLI users as soon as possible.
Wordfence free users will receive the same signatures 30 days later.
We will release a deep-dive analysis of the malicious plugin and separate wp-autoload.php backdoor in a future post.
For the time being, be on the lookout for this phishing email and do not click any links, including the Unsubscribe link, or install the plugin on your site.
If you have friends or acquaintances with WordPress sites, please forward this advisory to them to ensure that they do not install this malicious plugin.
This Cyber News was published on packetstormsecurity.com. Publication date: Mon, 04 Dec 2023 13:43:04 +0000