This article discusses the emergence of new malware variants targeting WordPress websites through the mu-plugins directory. Threat actors are using this less visible directory to hide malicious code, affecting site security and integrity. The malware includes fake updates, webshells, and spam injectors, demonstrating persistent attacks on WordPress installations. Affected: WordPress websites
Keypoints :
- Malware variants are being found in the mu-plugins directory of WordPress sites.
- Threat actors use the mu-plugins directory as a hiding place due to its automatic loading feature.
- Three main types of malware were identified: Fake Update Redirect Malware, Webshell, and Spam Injector.
- Indicators of compromise include unusual site behavior and unauthorized code in the mu-plugins directory.
- The use of these malware types can lead to site takeover, data theft, reputation damage, and SEO manipulation.
- Regular security monitoring and updates are crucial for prevention and mitigation.
MITRE Techniques :
- T1071.001: Application Layer Protocol – Attackers use HTTP/HTTPS to communicate with the malware.
- T1070: Indicator Removal on Host – Malware disguises itself as legitimate plugins in the mu-plugins directory.
- T1203: Exploitation for Client Execution – Fake update malware tricks users into executing malicious code.
- T1202: Indirect Command Execution – Webshell allows attackers to execute arbitrary commands on the server.
- T1499: External Remote Services – Use of remote external resources for malicious payload execution.
Indicator of Compromise :
- [URL] https://updatesnow[.]net
- [URL] https://raw.githubusercontent.com/starkvps99812/upd/refs/heads/main/BypassBest.php
- [Filename] wp-content/mu-plugins/redirect.php
- [Filename] wp-content/mu-plugins/index.php
- [Filename] wp-content/mu-plugins/custom-js-loader.php
Full Story: https://blog.sucuri.net/2025/03/hidden-malware-strikes-again-mu-plugins-under-attack.html