A new type of malware has been discovered that is able to bypass detection by 14 major WordPress security scanners, including Wordfence and GOTMLS.NET. The malware injects itself into the database, specifically the wp_options
table, affecting entries like wpcode_snippets
, siteurl
, home
, and redirection_options
.
This allows the attackers to create hidden admin users, redirect visitors to malicious websites, and hide security plugins from the administrator's view. The malware also uses advanced techniques to evade detection, such as base64 encoding and tracking IP addresses.
Table of Contents
How this Malware Hides and Works Undetected
What makes this malware more concerning is its ability to remain undetected by a wide range of security scanners.
Reports indicate that 14 major scanners, including well-known WordPress security scanners failed to identify the threat. Here is the list of scanners that failed to identify this threat:
- Wordfence
- Sucuri SiteCheck
- MalCare
- iThemes Security
- All In One WP Security & Firewall
- WPScan
- Anti-Malware Security (by Eli/GOTMLS.NET)
- SecuPress
- Quttera Web Malware Scanner
- Exploit Scanner
- WPCore Scan
- WP Cerber Security
- ClamAV
The malware works by putting malicious code directly into the WordPress database, especially in the wp_options
table. This way, it can avoid being caught by the usual file-based scans that many security plugins use.
Understanding How the Malware Works
1. Taking Over the Admin Panel
The malware changes the WordPress admin interface to hide security plugins like "Code Snippets." This makes it hard for the admin to see that something is wrong.
2. Creating Secret Admin Users:
Using stolen cookie data, the malware secretly adds admin users to the database without the site owner knowing. This gives attackers a way to keep coming back, even if the original problem is fixed.
3. Sending Non-Logged-In Users to Bad Sites:
The malware uses DNS records to send non-logged-in users or those with certain IP addresses to harmful malicious websites. These sites might try to steal information or send more malware.
4. Tracking IP Addresses and Sessions:
To avoid looking suspicious, the malware keeps track of IP addresses to make sure it doesn't send the same person to a bad site more than once in 24 hours.
Malware Detection and Analysis
The malware was discovered by carefully checking the wp_options
table, especially entries like wpcode_snippets
, siteurl
, home
, and redirection_options
.
A special SQL query was used to look for signs of trouble, like <script>
tags, eval()
functions, base64_decode()
functions, and document.write%
.
Protecting Against This Malware
To protect your WordPress site from this sneaky malware, take the following steps:
1. Use Strong Passwords and Two-Factor Authentication (2FA):
- Make sure all user accounts, especially admin ones, have strong and unique passwords.
- Add an extra layer of security with 2FA, making it much harder for attackers to get in.
2. Keep Everything Updated and Do Regular Security Checks:
- Make sure WordPress, themes, and plugins are always up-to-date to fix any vulnerabilities.
- Regularly check your website and database for any suspicious activity or bad code.
3. Hide the WP Login URL and Limit Login Attempts:
- Change the default WordPress login URL (
/wp-admin
or/wp-login.php
) to make it harder for attackers to find. - Use plugins or security features to limit login attempts, stopping brute-force attacks.
4. Improve Database Security and Monitoring:
- Regularly scan your database for bad code, especially in the
wp_options
table. - Use security tools that monitor your database in real-time and can spot unusual activity.
A Warning for the WordPress Administrators
This new type of malware shows how important it is to stay ahead of new threats. While traditional security measures are still important, this incident shows that we need more advanced ways to monitor our databases and detect malware.
If you found any suspicious activity in your WordPress sites, it is time to do a deep analysis.
Resource:
Featured Image by Jaydeep Joshi from Pixabay.