Full Report
SlashNext has discovered a malicious WordPress plugin, PhishWP, which creates convincing fake payment pages to steal your credit card information, 3DS codes, and personal data.
Analysis Summary
# Tool/Technique: PhishWP Plugin
## Overview
PhishWP is a malicious plugin, reportedly shared on a Russian hacker forum, designed to compromise WordPress websites and convert them into phishing pages.
## Technical Details
- Type: Malware/Malicious Plugin
- Platform: WordPress (PHP/Web Application)
- Capabilities: Hijacking website functionality, redirecting legitimate traffic to phishing landing pages, obfuscation (implied by its function as a malicious plugin).
- First Seen: Not explicitly mentioned in the context provided, but actively discussed on a Russian hacker forum.
## MITRE ATT&CK Mapping
* **TA0001 - Initial Access**
* T1190 - Exploit Public-Facing Application (If exploiting an unpatched vulnerability in WordPress/plugins to install it, or relying on compromised credentials)
* **TA0003 - Persistence**
* T1547.001 - Boot or Logon Autostart Execution: Registry (Less applicable for web plugins, but the plugin itself establishes persistence within the CMS)
* **TA0011 - Command and Control**
* T1071.001 - Application Layer Protocol: Web Protocols (Traffic related to serving the phishing content)
* **TA0010 - Impact**
* T1566.002 - Phishing: Spearphishing Link (The intended result of the compromise is to direct users to phishing links)
## Functionality
### Core Capabilities
- Installation and execution within a compromised WordPress installation.
- Modification of website functions to serve content other than the legitimate site.
- Redirecting legitimate visitors to custom-built phishing landing pages.
### Advanced Features
- The primary advanced feature is the seamless integration into a legitimate website infrastructure to serve phishing campaigns, potentially leveraging the host site's domain reputation. Specific obfuscation or C2 communication details are not provided.
## Indicators of Compromise
- File Hashes: [Not provided in the context]
- File Names: [The plugin files associated with "PhishWP"]
- Registry Keys: [Not applicable for standard web plugin compromise]
- Network Indicators: [Not provided in the context. C2 likely involves the delivery mechanism for the phishing content.]
- Behavioral Indicators: Unauthorized creation/modification of WordPress plugin files, unexpected redirects to external domains, serving of non-native login prompts.
## Associated Threat Actors
- Threat actors operating on Russian hacker forums who acquire and distribute this tool.
## Detection Methods
- Signature-based detection: Detecting known file signatures of the PhishWP plugin files.
- Behavioral detection: Monitoring web server logs for abnormal PHP execution patterns related to plugin files or unexpected HTTP requests/redirects originating from the core site directories.
- YARA rules if available: [No YARA rules provided]
## Mitigation Strategies
- Prevention measures: Keep WordPress core, themes, and all plugins updated to prevent exploitation that might lead to installation, or secure web application firewalls (WAFs) to block known malicious plugins/file uploads.
- Hardening recommendations: Implement strict file integrity monitoring on WordPress installation folders. Regularly audit the `wp-content/plugins` directory for unauthorized additions.
## Related Tools/Techniques
- General WordPress backdoors or webshells used to compromise CMS environments for subsequent campaign deployment.