We recently observed a surge in WordPress websites being infected by a sophisticated PHP reinfector and backdoor malware. While we initially believed that the infection was linked to the wpcode plugin, we found that several sites without this plugin were compromised as well. Upon deeper investigation, we discovered that this malware not only reinfects website files but also embeds malicious code into other plugins and database tables wp_posts and wp_options. One backdoor we uncovered revealed how attackers maintain unauthorized access to these sites, further spreading the infection.
This article dives into the infection mechanics and how the malware operates.
Correction: In a previous version of this post we mistakenly implied that the Imagify plugin was related to this infection. There are no known vulnerabilities associated with that plugin at this time.
Scope and type of the malware
This malware was found to be infecting WordPress sites. The code reinfects the plugin files and database tables. It uses a backdoor to execute arbitrary PHP code on the server by writing it directly to a file, and adds malicious WordPress admin users and uses WPCode PHP snippets in addition to infected plugins.
Understanding malicious PHP code
While working on the infected site, I noticed that the site was experiencing persistent reinfections. Upon further investigation, I discovered that the reinfection was occurring in the wp_options and wp_posts database tables.
This discovery prompted me to dive deeper, as it indicated that the malware was not just residing in the plugin files, but also manipulating key database tables crucial to the site’s functionality.
Infection mechanism: beyond WPCode
Initially, we thought that this malware was targeting WordPress sites using the popular WPCode plugin (formerly Insert Headers and Footers), which allows administrators to add custom code snippets to their site’s header and footer. However, during my research, I found an intriguing twist: some infected websites didn’t even have the WPCode plugin installed.
The deeper investigation
My colleague, Kaushal Bhavsar, provided invaluable assistance in dissecting the code and analyzing this malware.
The malware makes sure to only execute once per page load, which makes sense given that the same code is injected into all active plugins.
Stealing WordPress admin credentials
If a user submits a WordPress admin login form, the script captures these values and concatenates them. The combined string is then base64-encoded and written to a file. This function allows attackers to log user credentials, potentially leading to account compromises.
Scheduled updates and VexTrio redirects
The attackers manipulate WordPress’s built-in cron system to ensure their malicious code runs regularly to maintain control over infected sites.
Every 24 hours, the cron job scheduling feature retrieves a list of third-party scripts URLs that will be randomly injected into web pages of the compromised site. These scripts redirect to VexTrio scam sites.
This function begins by fetching an array of third-party URLs (nodes) and iterates over each node in an attempt to access a remote data.txt file.
The code fetches specific option values stored in the WordPress database table wp_options where option_name contains a long hexadecimal value, for example, option_name = 55e7183bded6e0fa810c47b04e65ea6e, that contains Base64 encoded data, to provide a list of third-party URLs (nodes).
These third-pary URLs are used to inject malicious scripts that redirect to the current VexTrio domain:
Malicious WordPress admin user
The infected sites have a malicious admin user with random hexadecimal names and random hexadecimal emails, like
username: 55e7183bded6e0fa810c47b04e65ea6e
email: 55e7183bded6e0fa810c47b04e65ea6e@113c971f77f8[.]com
The code prevents the malicious user from being included in the admin panel, thereby avoiding detection.
Reinfection of plugins and database
The malware injects itself into active plugins and WPCode snippets. It does this by extracting previously planted malicious code from one of the active plugins or a WPCode snippet, then spreading it across all active plugins and the WPCode snippet with a slightly altered, obfuscated version of the code. Because the malware changes its appearance each time, detection becomes increasingly difficult and cleanup becomes challenging. If the site isn’t fully cleaned, even small remnants of the malware can cause it to quickly reinfect everything, leading to a recurring cycle of infection that makes permanent removal hard to achieve.
The attacker replaces the WPCode snippet by first removing the existing snippets using the DELETE query and then places a freshly obfuscated code into the database table using INSERT queries. The code also hides the WPCode plugin and its menu bars from the admin panel.
Finally, it serializes an array of details about the newly created snippet, including metadata about where the code will be inserted and its execution rules, before saving this information into the wp_options table. This insertion ensures that the malicious code is automatically loaded and executed, further compromising and reinfecting the WordPress site.
It also deactivates popular security plugins by removing detection logs, making the detection even more difficult.
The malicious backdoor
While analyzing compromised sites, we found backdoors cleverly and randomly placed into files like ./wp-content/plugins/imagify/inc/3rd-party/enable-media-replace/classes/charge.php.
The code allows creation of PHP files on compromised sites by passing the file contents as a request parameter to the backdoor.
Conclusion
The rise of this versatile PHP malware underscores the importance of regular site monitoring, plugin updates, and professional security audits and cleanup. From function obfuscation to remote code execution, these methods illustrate the lengths to which attackers will go to maintain persistence and control over a compromised system.
This particular malware is pretty hard to remove because it affects multiple files and database records and if you don’t remove them all at once, the malware will quickly spread again. This approach often overlooks the root cause of the infection, which can lead to reinfection or the presence of additional malicious code. To effectively secure a WordPress site, it’s essential to identify and address the underlying vulnerabilities that allowed the malware to infiltrate in the first place.
Prevention tips
As a website owner, it’s important to take a proactive approach to security to mitigate risk from threats:
- Employ a “use it or lose it” policy on your website. That means regularly reviewing all plugins and removing any components that you don’t recognize or that aren’t in use.
- Generate strong and unique passwords for all your accounts, including admins, FTP, database, and hosting.
- Regularly monitor your website and check for suspicious activity or unexpected website admin users.
- Consider using 2FA and restricting access to your WordPress admin and sensitive pages to allow access to only trusted IP addresses.
- Always keep your website software patched and up to date, including your core CMS, plugins, themes, and any other extensible components.
- Use a web application firewall to help prevent vulnerability exploits, malicious code, and hack attempts.
If you think your website has been infected with malware but are unsure what to do next, we can help! Reach out to us on chat. Our experienced security analysts are available 24/7 to assist you in cleaning up website malware and restoring your website.
John Castro
Yuliyan Tsvetkov
Denis Sinegubko
Allison Bondi
Luke Leal
Rianna MacLeod
Fernando Barbosa
