Cybersecurity researchers have identified a sophisticated backdoor embedded within the mu-plugins directory of WordPress sites, enabling attackers to maintain persistent administrative access and execute arbitrary actions.
Must-use plugins, or mu-plugins, are special plugins in WordPress that are automatically activated across all sites within an installation. By default, they reside in the wp-content/mu-plugins directory. Unlike regular plugins, mu-plugins do not appear in the standard list on the Plugins page of the WordPress admin dashboard and cannot be deactivated through the admin interface; they can only be removed by deleting the plugin file from the mu-plugins directory.
This characteristic makes mu-plugins an attractive target for attackers seeking to conceal malicious code. By placing malware within this directory, attackers can ensure their code operates discreetly, evading detection by site administrators.
In a recent case observed by web security firm Sucuri, a PHP script named wp-index.php was discovered in the mu-plugins directory. This script functions as a loader, retrieving a secondary payload from a remote server and storing it in the WordPress database within the wp_options table under the key _hdra_core.
The URL for the remote payload is obfuscated using ROT13, a simple substitution cipher that shifts each letter 13 positions in the alphabet (e.g., A becomes N, B becomes O). This obfuscation technique adds a layer of concealment to the malicious operation.
Once the payload is fetched, it is temporarily written to the server’s disk and executed. This backdoor grants the attacker persistent access to the site and the capability to execute any PHP code remotely.
Specifically, the backdoor injects a hidden file manager into the theme directory under the name pricing-table-3.php. This tool allows attackers to browse, upload, or delete files on the server. Additionally, it creates an administrator user account named officialwp and installs a malicious plugin called wp-bot-protect.php, which is then activated.
To ensure the infection persists even if some components are removed, the malware includes mechanisms to reinstate itself. It also has the capability to change the passwords of common administrator usernames, such as admin, root, and wpsupport, to a default password set by the attacker. This extends to the officialwp user account created by the malware.
By implementing these measures, attackers can maintain continuous access to the compromised sites and perform various malicious activities. These activities can range from data theft to injecting code that serves malware to site visitors or redirects them to fraudulent websites.
To mitigate such threats, it is crucial for site owners to regularly update WordPress, themes, and plugins. Implementing two-factor authentication for all accounts adds an extra layer of security. Regular audits of all site components, including theme and plugin files, can help detect and remove unauthorized changes.
