A brand new malware marketing campaign focusing on WordPress websites employs a malicious plugin disguised as a safety instrument to trick customers into putting in and trusting it.
Based on Wordfence researchers, the malware supplies attackers with persistent entry, distant code execution, and JavaScript injection. On the identical time, it stays hidden from the plugin dashboard to evade detection.
Wordfence first found the malware throughout a website cleanup in late January 2025, the place it discovered a modified ‘wp-cron.php’ file, which creates and programmatically prompts a malicious plugin named ‘WP-antymalwary-bot.php.’
Different plugin names used within the marketing campaign embrace:
addons.php
wpconsole.php
wp-performance-booster.php
scr.php
If the plugin is deleted, wp-cron.php re-creates and reactivates it mechanically on the subsequent website go to.
Missing server logs to assist establish the precise an infection chain, Wordfence hypothesizes the an infection happens through a compromised internet hosting account or FTP credentials.
Not a lot is understood concerning the perpetrators, although the researchers famous that the command and management (C2) server is positioned in Cyprus, and there are traits much like a June 2024 provide chain assault.
As soon as lively on the server, the plugin performs a self-status test after which provides the attacker administrator entry.
“The plugin supplies quick administrator entry to risk actors through the emergency_login_all_admins perform,” explains Wordfence in its writeup.
“This perform makes use of the emergency_login GET parameter with the intention to permit attackers to acquire administrator entry to the dashboard.”
“If the right cleartext password is supplied, the perform fetches all administrator consumer information from the database, picks the primary one, and logs the attacker in as that consumer.”
Subsequent, the plugin registers an unauthenticated customized REST API route that permits the insertion of arbitrary PHP code into all lively theme header.php recordsdata, clearing of plugin caches, and different instructions processed through a POST parameter.
An up to date model of the malware may inject base64-decoded JavaScript into the location’s
part, seemingly for serving guests advertisements, spam, or redirecting them to unsafe websites.
Other than file-based indicators just like the listed plugins, web site house owners ought to scrutinize their ‘wp-cron.php’ and ‘header.php’ recordsdata for sudden additions or modifications.
Entry logs containing ’emergency_login,’ ‘check_plugin,’ ‘urlchange,’ and ‘key’ must also function crimson flags, warranting additional investigation.
