Malicious plugins that hide in plain sight and act as backdoors are used by attackers to gain and maintain a foothold on WordPress websites, and to upload web shells and scripts for brute-forcing other sites.
For instance, some of these fake plugins with backdoor functionality — named initiatorseo or updrat123 by their creators — were seen cloning the functionality of the highly popular backup/restore WordPress plugin UpdraftPlus, with a current active number of over two million installations.
"The metadata comments within these fake plugins include copies from version 1.16.16 of UpdraftPlus, which was released on July 23rd, 2019," found researchers at web security and protection company Sucuri.
Such plugins can easily be created with the help of ready-made automated tools or by including malicious payloads such as web shells within the source code of legitimate ones.
Fake UpdraftPlus WordPress plugin
Hiding from strangers
The malicious plugin does not show up when using the compromised website's WordPress dashboard as it is designed to stay out of sight until someone who knows it's there wonders around.
"By default, the plugin hides itself in the WordPress dashboard from anyone who doesn’t use browsers with specific User-Agent strings. These strings vary from plugin to plugin," found the researchers.
The plugin will also announce its presence to the attackers if they query the website using a GET request with custom parameters such as initiationactivity or testingkey.
These fake plugins' main purpose is to act as backdoors on the compromised WordPress websites and to provide the attackers with access to the servers even after the original infection vector was removed.
File uploading functionality (Image: Sucuri)
The hackers use the backdoors to upload arbitrary files for malicious purposes to the infec ..