The Wordfence Threat Intelligence Team has raised an alert regarding a phishing campaign aimed at WordPress users. The campaign involves an email claiming to be from the WordPress team, warning users of a Remote Code Execution vulnerability on their site identified as CVE-2023-45124, which is not a valid CVE. The email prompts users to download a “Patch” plugin and install it.
Upon clicking the Download Plugin link, users are redirected to a convincing fake landing page at en-gb-wordpress[.]org. If the victim downloads and installs the plugin, it is installed with a slug of wpress-security-wordpress, adding a malicious administrator user with the username wpsecuritypatch and sending the site URL and generated password for this user to a C2 domain: wpgate[.]zip. The plugin also includes a separate backdoor that ensures the user remains hidden and downloads a backdoor from wpgate[.]zip, saving it as wp-autoload.php in the webroot. This separate backdoor includes a hardcoded password with various functionalities, including a file manager, SQL Client, PHP Console, and Command Line Terminal, as well as displaying server environment information.
This attack allows hackers to maintain persistence through multiple forms of access, granting them full control over the WordPress site and the web user account on the server. The article provides indicators of compromise to help users identify the threat.
Wordfence has indicated that their telemetry shows no current infections among Wordfence users, and they are currently testing malware signatures to detect both the malicious plugin and the separate backdoor, which will be released to their premium, care, response, and paid CLI users. Free users will receive the signatures 30 days later.
A deep-dive analysis of the malicious plugin and separate wp-autoload.php backdoor will be released in a future post. The public is advised to be cautious of the phishing email, avoid clicking any links, and refrain from installing the plugin. The advisory also encourages users to forward the information to other WordPress site owners to prevent them from installing the malicious plugin.
Wordfence has also extended their Bug Bounty Program, offering increased bounties for critical vulnerabilities until December 20th, 2023, and encourages vulnerability researchers to sign up.
Read Full Article