Rising Threat: WordPress Malware Campaign Targets Sites with Fake Security Plugin

Cybersecurity researchers have recently uncovered a new malware campaign specifically targeting WordPress websites, disguising itself as a legitimate security plugin. This insidious campaign involves a plugin named “WP-antymalwary-bot.php,” which allows attackers to maintain persistent access, hide its presence from administrators, and remotely execute malicious code. This vulnerability has the potential to compromise website security on a large scale, and its discovery in January 2025 has since evolved, with newer variants spreading rapidly across the web. Here’s a breakdown of the attack, its methods, and the broader impact.

The malware, once installed, grants hackers full administrator access to the WordPress dashboard. Utilizing the site’s REST API, it executes remote code, infiltrates the theme’s header file with PHP code, and even clears the caches of popular caching plugins. The infection process involves several distinct steps to ensure persistence, making it challenging for website administrators to remove the malicious code. The plugin is also accompanied by a wp-cron.php file that automatically reinstates the malware if it’s deleted.

Other names associated with this threat include “addons.php,” “wpconsole.php,” “wp-performance-booster.php,” and “scr.php.” These variations help the malware evade detection and complicate efforts to identify infected sites. Furthermore, the malware has been found to incorporate code that fetches JavaScript from compromised domains, used for displaying spammy ads or other malicious content on the site.

One of the notable features of this attack is its ability to remain stealthy, especially with a function that hides the plugin’s presence from the admin dashboard. The researchers also noted that the malware includes a “pinging” functionality, which allows the compromised site to send reports back to a command-and-control server, facilitating further malicious activity. Although the exact method of breach remains unclear, the presence of Russian language comments in the code suggests that the attackers may be Russian-speaking. The campaign highlights how a simple WordPress vulnerability can be weaponized to create lasting security issues for website owners and users alike.

What Undercode Says:

The ongoing threat posed by malware campaigns like this one is alarming, especially considering the increasing sophistication and stealth with which attackers are operating. The fact that attackers have successfully hidden the malware under the guise of a legitimate security plugin is a clear sign of the advanced nature of current cyber threats. By camouflaging malicious code as something trustworthy, the attackers increase the chances of their malware being installed and activated.

What’s particularly concerning is the multi-layered approach employed by this campaign. From gaining administrator access to injecting malicious code into site themes, clearing caches, and leveraging compromised domains to spread JavaScript malware for advertising purposes, the attackers are leaving no stone unturned. This makes detection and removal significantly harder for site administrators, especially those who may not have the technical expertise to recognize these subtle intrusions.

The continued evolution of this malware variant, with new iterations incorporating additional features like pinging functionality and reactivation through wp-cron.php, shows how cybercriminals are constantly improving their tools to evade detection and stay one step ahead of defenders. Furthermore, the injection of ads and the use of deceptive CAPTCHA verifications to trick users into executing Node.js-based backdoors are tactics that indicate a high level of malicious sophistication.

The use of a traffic distribution system (TDS) like Kongtuke also exemplifies how attackers are building infrastructure to distribute malware and exploit vulnerabilities across a range of websites. By using Google AdSense code to generate revenue or tricking users into executing malware through fake CAPTCHA systems, the threat actors demonstrate how they’re exploiting the trust users place in these platforms.

Fact Checker Results:

Researchers have confirmed that the malware campaign has affected a significant number of WordPress sites, making it a serious concern for the platform’s security.
The presence of Russian-language comments in the code points to Russian-speaking threat actors, but further investigation is required to fully identify the responsible group.
Similar malicious campaigns, including those targeting e-commerce sites with fake payment forms, are indicative of a broader trend in cybercrime where attackers use multiple methods to steal sensitive data.

Prediction:

Looking ahead, this type of WordPress malware campaign is likely to become more prevalent as attackers refine their techniques. The combination of legitimate-looking plugins, the use of compromised domains for distributing malicious code, and the manipulation of ad systems for profit suggests that website owners must take proactive security measures. The increasing use of multi-layered attacks targeting everything from sensitive user data to ad revenue highlights a growing trend in cybercrime where the exploitation of trusted systems for profit is the primary objective. Website administrators will need to stay vigilant, regularly update their plugins, and employ security tools that can detect subtle intrusions like this one.