Cybersecurity researchers have uncovered a new stealthy backdoor concealed within the “mu-plugins” directory in WordPress sites to grant threat actors persistent access and allow them to perform arbitrary actions.
Must-use plugins (aka mu-plugins) are special plugins that are automatically activated on all WordPress sites in the installation. They are located in the “wp-content/mu-plugins” directory by default.
What makes them an attractive option for attackers is that mu-plugins do not show in the default list of plugins on the Plugins page of wp-admin and cannot be disabled except by removing the plugin file from the must-use directory.
As a result, a piece of malware that leverages this technique allows it to function quietly, without raising any red flags.
In the infection spotted by web security company Sucuri, the PHP script in the mu-plugins directory (“wp-index.php”) serves as a loader to fetch a next-stage payload and save it in the WordPress database within the wp_options table under _hdra_core.
The remote payload is retrieved from a URL that’s obfuscated using ROT13, a simple substitution cipher that replaces a letter with the 13th letter after it (i.e., A becomes N, B becomes O, C becomes P, and so forth).
“The fetched content is then temporarily written to disk and executed,” security researcher Puja Srivastava said. “This backdoor gives the attacker persistent access to the site and the ability to run any PHP code remotely.
Specifically, it injects a hidden file manager into the theme directory as “pricing-table-3.php,” permitting threat actors to browse, upload, or delete files. It also creates an administrator user named “officialwp” and then downloads a malicious plugin (“wp-bot-protect.php”) and activates it.
Besides reinstating the infection in the event of deletion, the malware incorporates the ability to change the passwords of common administrator usernames, such as “admin,” “root,” and “wpsupport,” to a default password set by the attacker. This also extends to its own “officialwp” user.
In doing so, the threat actors can enjoy persistent access to the sites and perform malicious actions, while effectively locking out other administrators. This can range from data theft to injecting code that can serve malware to site visitors or redirect them to other scammy sites.
“The attackers gain full administrator access and a persistent backdoor, allowing them to do anything on the site, from installing more malware to defacing it,” Srivastava said. “The remote command execution and content injection features mean the attackers can change the malware’s behavior.”
To mitigate against these threats, it’s essential that site owners update WordPress, themes, and plugins periodically, secure accounts using two-factor authentication, and regularly audit all sections of the site, including theme and plugin files.
