A fake WordPress plugin dubbed X-WP-SPAM-SHIELD-PRO containing a backdoor was spread by crooks abusing the popularity of WP-SpamShield Anti-Spam, a WordPress antispam tool.
The WP-SpamShield Anti-Spam plugin has over 100,000 installs for this reason attackers decided to abuse it.
Researchers with Sucuri that discovered that the X-WP-SPAM-SHIELD-PRO disable other plugins, even the ones used to protect the install, steal data, and add a hidden admin account.
The X-WP-SPAM-SHIELD-PRO features legitimate structure and file names, but that all of its contents are fake.
“In the case of the X-WP-SPAM-SHIELD-PRO plugin, we identified a legitimate structure and file names. We also found legitimate, “security-related” file names in the ./includes folder.” states the blog post published by Sucuri.
“After checking each of the files, the contents turned out to be simple hacktools serving the purpose of the attacker.”
The experts used as an example the class-social-facebook.php, while the name suggests it was used by the author to implements defense countermeasures against threats via Facebook, it was designed to list all of the active plugins and disable them.
The code includes other files, class-term-metabox-formatter.php and class-admin-user-profile.php, the first one contains the code to grab the WordPress version, and the second one provides a list of all admin users in the WordPress install.
The fake plugin also includes a file called plugin-header.php, used by crooks designed to add an additional administrator account – mw01main – to the WordPress installation.
“The plugin-header.php file contains code to add an additional administrator account – mw01main – to your site. It also contains code to delete itself.” states Sucuri.
“This is the first time during this research investigation that we’ve noticed a reference to some external site – mainwall.org. There’s a clearly visible username, password and the email used for the new administrator account which an attacker could use login to your site. Nasty.”
Further analysis of the fake plugin revealed the presence of a code that notifies attackers each time an administrator activated it on the website.
The fake plugin implements a custom sendPost() function that is used to collect information from the WordPress install and send it to the attackers.
“This function collects information about the user, password, current site this plugin is active on, server IP address, and few other pieces of sensitive data. This information is then sent back to their server using the POST method, making it difficult to detect within your site logs.” continues the analysis.
The author of the fake plugin also implemented an update feature that allows the attackers to upload any file to the site. The attackers could upload a ZIP archive, unpack it to the system, and then delete the archive.
The malicious X-WP-SPAM-SHIELD-PRO plugin was not available in the WordPress repository, WordPress administrators have to install plugins only from official and trusted repositories.
(Security Affairs – fake plugin, hacking)