Malware masquerading itself as an SEO plugin called WP-Base-SEO has infected close to 4,000 WordPress sites in the past two weeks, according to security experts. The intent of the hackers behind the malware is to hide in plain sight, appearing as legitimate SEO plugin, at the same time creating a backdoor to the targeted WordPress account.
“They have stolen the code from an existing SEO plugin and tweaked it to appear as legitimate. That way, should a WordPress site owner poke around and look for suspicious activity, they might easily overlook it as a legitimate SEO plugin,” said Weston Henry, lead security analyst at security firm SiteLock, that found the bogus plugin. The fake WP-Base-SEO plugin is a forgery of a legitimate search engine optimization plugin, WordPress SEO Tools.
The means in which the plugin is being installed is likely via mass automated scanning of WordPress sites where attackers are looking for outdated plugins or WordPress themes, Henry said. A disproportionate number of infections are on WordPress installations running an outdated version of the WordPress slideshow plugin called RevSlider.
RevSlider is a popular WordPress plugin that has been tied to a number of high-profile site compromises over the past several years. In April 2016, an out-of-date version of RevSlider was blamed for the massive 2.5 terabyte data leak known as the “Panama Papers.” In July, attackers targeted WordPress websites running the RevSlider planting the Neutrino Exploit Kit on webpages that attempted to install the CryptXXX ransomware on visitors.
“We think RevSlider is just a part of the mix when it comes to what vulnerabilities these adversaries are looking to exploit. It could also be they are using stolen credentials or they are using brute-force password attacks against these sites,” Henry said.
A closer examination of the fake WP-Base-SEO malware reveals its malicious intent in the form of a base64 encoded PHP eval request, according to a technical blog that examines the plugin. “Eval is a PHP function that executes arbitrary PHP code. It is commonly used for malicious purposes and php.net recommends against using it,” SiteLock said.
Malicious content was found in /wp-content/plugins/wp-base-seo/wp-seo-main.php. “At first glance, the file appears to be legitimate, including a reference to the WordPress plugin database and documentation on how the plugin works,” according to the SiteLock.
Researchers focused on two files located in the malicious WP-Base-SEO plugin directory.
“(There is) wp-seo.php, which includes the require_once for the second file, wp-seo-main.php. Wp-seo-main.php uses different function and variable names depending on the install, like wpseotools_on_activate_blog vs. base_wpseo_on_activate_blog, and wp_base vs. base_wp_base,” wrote researchers.
“This means that anytime the theme is loaded in a browser, the request is initialized,” SiteLock said.
According to SiteLock’s analysis, the fake plugin’s obfuscation techniques have been largely successful, up until this point. When researching past instances of WP-Base-SEO infections, SiteLock said the plugin has managed to fly under the radar of many malware scanners. “This highlights the critical need for web application security, including a malware scanner that can identify vulnerabilities and automatically remove malware,” SiteLock wrote.
In addition to scanning, Henry said site administrators need to be familiar with files associated with their WordPress install and make sure they have an inventory of plugins. “It bears repeating, it’s super important to keep your WordPress plugins and themes up to date,” he said.