Analysis Summary

A malicious campaign targeting over 5,000 WordPress websites has been uncovered, involving the creation of fraudulent administrator accounts, installation of malicious plugins, and theft of sensitive data. The activity was identified by c/side, a web script security firm, during an incident response for a client.

The attackers use the domain wp3[.]xyz for data transmission. Although the initial infection vector remains unknown, once a site is compromised, a malicious script from the domain creates an administrator account named wpx_admin and embeds its credentials in the website’s code. The script then downloads and activates a plugin named plugin.php from the same domain. This plugin is designed to harvest sensitive information, including administrator credentials and logs, which are transmitted to the attackers’ server disguised as image requests.

The attack includes validation mechanisms to confirm the creation of the rogue administrator account and the successful installation of the malicious plugin. These methods make the campaign more sophisticated and harder to detect.

To mitigate these attacks, c/side experts recommend the following measures:

• Block the domain wp3[.]xyz using firewalls and security tools.
• Audit all privileged accounts and installed plugins, removing any suspicious ones.
• Strengthen defenses against Cross-Site Request Forgery (CSRF) by implementing unique tokens with server-side validation and regular token regeneration.
• Enable multi-factor authentication (MFA) to protect accounts that may have compromised credentials.

This campaign highlights the critical importance of regular security audits and proactive measures to secure WordPress websites. Failure to implement robust defenses can lead to sensitive data breaches and loss of control over website resources. Website administrators are urged to take immediate action to identify and address potential vulnerabilities, ensuring their systems are safeguarded against similar threats.

Impact

• Unauthorized Gain Access
• Sensitive Information Theft

Indicators of Compromise

Domain Name

• wp3.xyz

Remediation

• Block access to wp3.xyz and other malicious domains using firewalls or security tools.
• Regularly review and remove unauthorized or suspicious privileged accounts.
• Inspect installed plugins and delete any unrecognized or malicious ones like plugin.php.
• Enforce multi-factor authentication (MFA) for all administrator accounts to enhance security.
• Strengthen CSRF protections by implementing unique tokens, server-side validation, and periodic token regeneration with limited token lifespans.
• Deploy tools to monitor unusual activity, such as unauthorized admin account creation or suspicious plugin installations.
• Regularly update WordPress core, plugins, and themes to patch vulnerabilities.
• Ensure all accounts use strong, unique passwords to minimize brute force risks.
• Conduct frequent security audits to identify and address vulnerabilities proactively.
• Train users to recognize and report potential threats to ensure timely responses.