Full Report
Cybersecurity researchers have shed light on a new campaign targeting WordPress sites that disguises the malware as a security plugin. The plugin, which goes by the name "WP-antymalwary-bot.php," comes with a variety of features to maintain access, hide itself from the admin dashboard, and execute remote code. "Pinging functionality that can report back to a command-and-control (C&C) server
Analysis Summary
# Tool/Technique: WP-antymalwary-bot.php (WordPress Malware)
## Overview
A malware disguised as a legitimate security plugin targeting WordPress sites. Its primary purpose is to maintain persistence, establish command and control, hide itself, and execute remote code for further compromise, often involving the injection of malicious JavaScript for advertising purposes.
## Technical Details
- Type: Malware family
- Platform: WordPress (PHP/Web Server)
- Capabilities: Remote code execution, persistence via wp-cron.php, C2 communication, hiding from admin dashboard, spreading to other directories, injecting malicious JavaScript (for ads).
- First Seen: Late January 2025
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1190 - Exploit Public-Facing Application (Implied, as it needs to be installed/activated)
- **TA0003 - Persistence**
- T1547.001 - Boot or Logon Autostart Execution: Registry (Less likely for pure PHP, but the wp-cron mechanism serves a similar purpose)
- T1053.005 - Scheduled Task/Job: Scheduled Task
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information
- **TA0011 - Command and Control**
- T1071.001 - Application Layer Protocol: Web Protocols (HTTP/HTTPS for pinging C2)
- **TA0002 - Execution**
- T1059.001 - Command and Scripting Interpreter: PowerShell (If on Windows hosts, otherwise PHP execution)
- T1059.005 - Command and Scripting Interpreter: Visual Basic
*(Note: Specific technique mapping is inferred based on described functionality like C2 communication, persistence via cron, and RCE.)*
## Functionality
### Core Capabilities
- Granting administrator access to threat actors.
- Utilizing the WordPress REST API to inject malicious PHP code into site theme files (e.g., header file).
- Clearing caches of popular caching plugins.
- Spreading the malware to other directories on the compromised filesystem.
### Advanced Features
- **Persistence Mechanism:** Complemented by a malicious `wp-cron.php` file that automatically recreates and reactivates the malware if it is deleted from the plugins directory upon the next site visit.
- **Malicious JavaScript Injection:** Fetching and serving external JavaScript code from another compromised domain to inject ads or spam onto the target site.
## Indicators of Compromise
- File Hashes: [N/A based on context]
- File Names: `WP-antymalwary-bot.php`, `addons.php`, `wpconsole.php`, `wp-performance-booster.php`, `scr.php`
- Registry Keys: [N/A based on context]
- Network Indicators: C&C servers are implied for "pinging functionality" but not specified (defanged).
- Behavioral Indicators: Code injection into theme files, modification/clearing of caching plugin data, abnormal traffic to `wp-cron.php` for malware reactivation, suspicious network calls originating from the web application directed to external domains for script fetching.
## Associated Threat Actors
- Russian-speaking threat actors (indicated by Russian language comments/messages found within the code).
## Detection Methods
- Signature-based detection: Known file names and string patterns related to the malware code.
- Behavioral detection: Monitoring for unauthorized modifications to plugin directories, theme files (especially header files), unexpected REST API calls facilitating code injection, and use of `wp-cron.php` for unusual file recreation.
- YARA rules: Rules targeting known strings or structural components of `WP-antymalwary-bot.php`.
## Mitigation Strategies
- **Prevention measures:** Regularly apply core WordPress, theme, and plugin updates. Restrict file permissions to prevent web-accessible scripts from writing to critical system or plugin directories.
- **Hardening recommendations:** Implement a Web Application Firewall (WAF) to block malicious requests to the REST API endpoint. Regularly scan uploaded files and PHP archives for backdoors. Audit WordPress admin users and enforce M FA.
## Related Tools/Techniques
- Web Skimming campaigns (Sucuri reports on fake font domains being used for skimming).
- Magento targeting malware utilizing reverse proxies disguised as GIF files.
- Ad-jacking operations injecting Google AdSense code for revenue theft.
- Node.js-based backdoors deployed via deceptive CAPTCHAs, often associated with the Kongtuke TDS.