Cyber security researchers have highlighted a new campaign targeting WordPress sites that disguise malware as a safety plugin.
Plugin, which comes under the name “WP-ANTYMALWARY-BOT.Php”, comes with a variety of features to maintain access, hides himself from the administrator dashboard, and executes the distant code.
Wordfed’s Marco Watschka said in a report, “The pinging functionality that can report back to the command-end-control (C&C) server, has also been included, as the code that helps in spreading malware in other directors and inect the malicious JavaScript responsible for the service of advertisements.”
The first for the end of January 2025 was discovered during a site cleanup attempt, since then the malware has been found in the wild with new variants. Some other names used for plugin are listed below –
- Addon.php
- wpconsole.php
- WP-Performance-Buster.FAP
- scr.php
Once established and active, it provides access to the administrator of danger actors for dashboard and uses REST API to facilitate remote code by injecting the malicious PHP code in the header file of the site theme or by cleaning the cash of popular cashing plugins.
A new repetition of malware involves remarkable changes in the way of handling code injections, obtaining the JavaScript code hosted on another compromised domain for advertising or spam serving.
The plugin is also complemented by a malicious WP-Cron.php file, which automatically reactivates and reactivates the malware on the next site, it must be removed from the plugins directory.
It is not currently clear how sites are dissolved or who is behind the campaign to give malware. However, the possibility of Russian language comments and the possibility of messages indicates that the actor of danger is Russian speaking.
Disclosure comes in the form of Sukuri is a web skimmer campaign that uses a fake font domain called “Italicphones”[.]To display a fake payment form on ORG “checkout pages, information was recorded, and exfiltrate the data on the attacker’s server.
Another “Advanced, Multi-Stage Carding Attack” investigated by the website Security Company involves targeting magento e-commerce portals with JavaScript malware, designed to cut a wide range of sensitive information.
Security researcher Ben Martin said, “This malware took advantage of a fake GIF image file, local browser sessions data, and credits data, login details, cookies, and other sensitive data from the compromise website, used a malicious reverse proxy server using a malicious reverse proxy server to facilitate the theft of other sensitive data from the compromise website.”
The GIF file, in fact, is a PHP script that acts as a reverse proxy using it to capture the upcoming requests and collect the necessary information on the site visitor land on the checkout page.
Adverses are also injected to the Google Adsense code at at least 17 WordPress sites at various locations, with the target of distributing unwanted advertisements and generating revenue based on an anticipatory or per-effect.
Security researcher Pooja Srivastava said, “They are trying to use your site resources, and worse, they can steal your advertising revenue.” By injecting their own Google Adsense code, they are paid instead of you. “
This is not all. Deceptive captcha verification served on compromised websites has been found to trick users to download and execute users.
The activity has been attributed to the Kongtuk (aka 404 TDS, Chaaya_002, Landupdate808, and Tag-124) by the Trustwave Spider-System (TDS).
“The JS script, which was dropped after the infection, is designed as a multi-functional back door, which is designed to execute the detailed system reconnaissance, remote command, execute the tunling network traffic (SOCKS5 Proxy) and to keep secret, continuously,” the security researcher Rigun Jayapaul said.
