A sophisticated malware campaign has been identified, targeting WordPress administrators through a deceptive caching plugin designed to steal login credentials and compromise website security.
Discovery of the Malicious Plugin
Security researchers have uncovered a malicious plugin named wp-runtime-cache, which masquerades as a legitimate caching tool. This plugin specifically targets users with administrative privileges, exfiltrating sensitive authentication data to external servers controlled by cybercriminals.
Characteristics of the Fake Plugin
Unlike authentic caching plugins that typically consist of multiple PHP and JavaScript files, this malicious variant comprises only a single file: `wp-runtime-cache.php`. Several red flags distinguish it from legitimate software:
– Empty Metadata Fields: The plugin’s description, author information, and URL fields are conspicuously blank, whereas genuine plugins provide vendor identification and support resources.
– Obfuscated Code: The code contains heavily obfuscated base64 content and uses randomized variable names such as `woocomHeic0971` and `pbes2PITR0339`, including a particularly telling variable named `infiltrateDocumentStore0460`.
Execution and Credential Harvesting
The malware activates on every page load by leveraging the WordPress action hook: `add_action(‘wp_login’, ‘octopusJson50286’, 10, 2)`. This ensures that the credential harvesting function triggers whenever users attempt to authenticate through the WordPress admin panel.
The plugin implements a sophisticated role-based targeting system, focusing on high-privilege users. Upon login attempts, it checks user capabilities against predefined base64-encoded roles:
– `bWFuYWdlX29wdGlvbnM=` (decoded as `manage_options` for admin-level access)
– `ZWRpdF9wYWdlcw==` (decoded as `edit_pages` for editor-level access)
When the login credentials match these targeted roles, the plugin constructs a data array containing the username, password, and user capabilities. This sensitive information is then transmitted to an external command-and-control server via WordPress’s built-in `wp_remote_post` function, sending data to the decoded URL: `https://woocommerce-check.com/report-to`.
Suspicious Domain Registration
The malicious domain `woocommerce-check.com` was registered on October 27, 2024. The registration details are suspicious, showing an Arkansas address but a Hong Kong country code (+852.68584411), indicating potential registration fraud.
Evasion Techniques
The plugin incorporates advanced evasion techniques to remain hidden from administrators:
– Self-Hiding Mechanism: It uses the action `add_action(‘pre_current_active_plugins’, ‘pbes2PITR0339’)` to remove itself from the WordPress plugins list, making detection through standard admin interfaces nearly impossible.
– Hardcoded Hash Value: The malware includes a hardcoded hash value `WsXZjIFxgnLnC5V` that allows specific malicious users to bypass the hiding mechanism, presumably enabling attackers to manage their infection while keeping the plugin invisible to legitimate administrators.
Mitigation Strategies
WordPress administrators can protect their sites through several security measures:
– Regular Security Audits: Conducting regular security audits using server-side scanners can detect unauthorized file uploads.
– Implementing Two-Factor Authentication (2FA): Adding 2FA or IP restrictions on login pages provides additional protection layers even if credentials are compromised.
– Monitoring for Unauthorized Plugins: Regularly reviewing installed plugins and removing any that are unfamiliar or suspicious can help prevent such infections.
By staying vigilant and implementing these security practices, administrators can safeguard their WordPress sites against such sophisticated malware campaigns.
