• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login
Fake UpdraftPlus WordPress Plugin

Fake UpdraftPlus Plugins

October 17, 2019Denis Sinegubko

FacebookTwitterSubscribe

We often find various fake WordPress plugins installed by hackers during website cleanups. Recently, we’ve noticed a new wave of infections that install fake plugins with backdoor functionality.

Malicious Plugins Sourced from UpdraftPlus

Attackers have been using different names for these fake plugins, including initiatorseo or updrat123—but any title can be used.

While their code differs in terms of variable names, the malicious plugins do share a few things in common: they possess a similar structure along with header comments from the popular backup/restore plugin UpdraftPlus.

At the time of writing, the UpdraftPlus plugin has more than 2 million active installations and is regularly updated by contributors. The metadata comments within these fake plugins include copies from version 1.16.16 of UpdraftPlus, which was released on July 23rd, 2019.

Fake UpdraftPlus plugin metadata
Fake plugin with UpdraftPlus metadata

Malicious Plugin Behavior 

By default, the plugin hides itself in the WordPress dashboard from anyone who doesn’t use browsers with specific User-Agent strings. These strings vary from plugin to plugin.

That being said, the plugin can also report its presence if attackers add a specific GET parameter to requests, such as initiationactivity or testingkey.

The primary purpose of these plugins is to serve as a backdoor, which allows attackers to upload arbitrary files to compromised websites.

Backdoor Uploader in Fake WordPress Plugin
Backdoor file uploader

Malicious requests come in the form of POST parameters, which specify a remote URL for the file download locations, along with the path and name of the file to be created on the compromised server.

So far, the names of these POST parameters have been unique for each plugin that we’ve analyzed.

In our experience, hackers have been using this backdoor to upload web shells to seemingly random locations, including (but not limited to):

wp-content/plugins/update.php
wp-content/mu-plugins/user.php
wp-content/user.php
wp-content/plugins/post-types-order/js/options.php
wp-content/plugins/post-types-order/images/config.php
…

The fake plugins are also being used to upload files with random names⁠—such as 5d9196744f88d5d9196744f893.php⁠—to site root directories. These erratically named files contain a script that hackers use for brute force attacks on other sites.

Brute force script
Brute force script

The tell-tale double MD5 comment found at the top of this brute force script is created by the following code in the fake plugin:

return '<?php  /*'.md5(time()).md5(time()).'*/ ?>'.$data;

Hackers use this script to test lists of username/password pairs on any WordPress site of their choice. Nice reminder to always use strong passwords!

Conclusion

While none of the approaches used by this attack are new, it clearly demonstrates how cleaning only the visible parts of an infection is not enough.

Hackers want to maintain access to websites as long as they can. To accomplish this, they upload various backdoors into random files scattered across the whole site. Sometimes backdoors come in the form of WordPress plugins that might not even be visible from the admin interface.

Additionally, compromised websites may be used for malicious activity that is completely invisible from outside, including DDoS and brute-force attacks, mailing tons of spam, or cryptomining. Only integrity control of the filesystem and server-side security scans can help detect this kind of malware.

FacebookTwitterSubscribe

Categories: Website Security, WordPress SecurityTags: Black Hat Tactics, Hacked Websites, Website Backdoor, WordPress Plugins and Themes

About Denis Sinegubko

Denis Sinegubko is Sucuri’s Senior Malware Researcher who joined the company in 2013. Denis' main responsibilities include researching emerging threats and creating signatures for SiteCheck. The founder of UnmaskParasites, his professional experience covers over 20 years of programming and information security. When Denis isn’t analyzing malware, you might not find him online at all. Connect with him on Twitter.

Reader Interactions

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.