Bogus WordPress Security Plugin Grants Hackers Admin Control

Cybersecurity researchers are buzzing about a sneaky new campaign. It involves malware disguised as – get this – a security plugin.

The imposter plugin, called "WP-antymalwary-bot.php," isn't protecting your site. It's designed to do the opposite. It packs a punch with features that let hackers keep their access, hide from your admin dashboard, and even run code remotely.

"It even has a 'pinging' feature to check in with a command-and-control server," says Marco Wotschka from Wordfence. "And it can spread itself to other directories, injecting malicious JavaScript to serve up unwanted ads." You can read the full report here.

This nasty piece of work was first spotted during a site cleanup back in January. Since then, new versions have been popping up in the wild. Keep an eye out for these names:

• addons.php
• wpconsole.php
• wp-performance-booster.php
• scr.php

Once this fake plugin is installed and activated, it hands over admin access to the bad guys. They then use the REST API to run code remotely, injecting malicious PHP into your site's theme header or even clearing the caches of popular caching plugins. Talk about a headache!

One new version is even sneakier. It fetches JavaScript code from other compromised sites to serve ads or spam.

To make matters worse, there's also a malicious wp-cron.php file involved. If you manage to remove the plugin, this file will automatically recreate and reactivate it the next time someone visits your site. Persistence at its finest (and worst!).

Right now, it's unclear how these sites are being initially breached or who's pulling the strings. However, the presence of Russian language comments suggests the attackers might be Russian-speaking.

And that's not the only threat out there. Sucuri recently detailed a web skimmer campaign using a fake font domain ("italicfonts[.]org") to display a bogus payment form on checkout pages. It steals your credit card info and sends it straight to the attacker.

They also found an "advanced, multi-stage carding attack" targeting Magento e-commerce sites. This involves JavaScript malware designed to steal all sorts of sensitive data.

"This malware used a fake GIF image file, local browser sessionStorage data, and even messed with website traffic using a malicious reverse proxy server," explains security researcher Ben Martin. "All to steal credit card data, login details, cookies, and other sensitive info." You can read more about it here.

That GIF file? Actually a PHP script acting as a reverse proxy, capturing requests and grabbing data when a visitor hits the checkout page.

And if that wasn't enough, some attackers are injecting Google AdSense code into WordPress sites – at least 17 so far. The goal? To serve unwanted ads and make money on clicks or impressions.

"They're using your site's resources to serve ads, and even worse, stealing your ad revenue if you're already using AdSense," warns security researcher Puja Srivastava. "By injecting their own code, they get paid instead of you." Check out the details here.

But wait, there's more! Deceptive CAPTCHA verifications are tricking users into downloading and running Node.js-based backdoors. These backdoors gather system info, grant remote access, and deploy a Node.js remote access trojan (RAT) that tunnels malicious traffic through SOCKS5 proxies.

Trustwave SpiderLabs attributes this activity to a traffic distribution system (TDS) called Kongtuke (also known as 404 TDS, Chaya_002, LandUpdate808, and TAG-124).

"The JS script dropped post-infection is a multi-functional backdoor," says security researcher Reegun Jayapaul. "It can do detailed system reconnaissance, execute remote commands, tunnel network traffic, and maintain covert, persistent access." Read the full analysis here.