PHP Reinfector and Backdoor Malware Target WordPress Sites

Nov. 14, 2024, 8:59 a.m.

Description

A sophisticated PHP reinfector and backdoor malware is targeting WordPress websites, infecting plugin files and database tables. The malware reinfects active plugins, manipulates wp_options and wp_posts tables, and creates malicious admin users. It utilizes WordPress's cron system to maintain control and injects third-party scripts for VexTrio scam redirects. The infection mechanism goes beyond the WPCode plugin, affecting sites without it installed. The malware employs various techniques to evade detection, including function obfuscation and deactivating security plugins. It also includes a backdoor for remote code execution. This persistent threat emphasizes the need for regular site monitoring, updates, and professional security measures to prevent and address infections effectively.

External References

https://blog.sucuri.net/2024/11/php-reinfector-and-backdoor-malware-target-wordpress-sites.html
https://otx.alienvault.com/pulse/67356c00f241c0d207fff5d2
Tags
backdoor
obfuscation
wordpress
php
2024-11-14
vextrio
database manipulation
backdoor malware
persistent threat
php reinfector
plugin infection
reinfector
cron system

Date

  • Created: Nov. 14, 2024, 3:18 a.m.
  • Published: Nov. 14, 2024, 3:18 a.m.
  • Modified: Nov. 14, 2024, 8:59 a.m.

Attack Patterns

  • Backdoor Malware
  • PHP Reinfector
  • T1078.004
  • T1053.003
  • T1505.003
  • T1608.003
  • T1059.001
  • T1071.001
  • T1562.001
  • T1027
  • T1190
  • T1133