Today we found new malware WP-Zipp.zip which is a WordPress plugin. The attacker is somehow before with another vulnerability created a user account with WordPress and it uploads own malware plugin, which contains a FilesMan remote shell.
Access log
As we see, just direct access to WordPress and install WP-Zipp plugin:
188.163.110.84 - - [13/Mar/2017:01:39:32 +0200] "POST /wp-login.php HTTP/1.0" 302 1178 "https://malware.expert/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0" 188.163.110.84 - - [13/Mar/2017:01:39:33 +0200] "GET /wp-admin/index.php HTTP/1.0" 200 156715 "https://malware.expert/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0" 188.163.110.84 - - [13/Mar/2017:01:39:40 +0200] "GET /wp-admin/plugin-install.php?tab=upload HTTP/1.0" 200 145117 "https://malware.expert/wp-admin/plugin-install.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0" 188.163.110.84 - - [13/Mar/2017:01:39:41 +0200] "POST /wp-admin/update.php?action=upload-plugin HTTP/1.0" 200 137883 "https://malware.expert/wp-admin/plugin-install.php?tab=upload" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0" 188.163.110.84 - - [13/Mar/2017:01:39:53 +0200] "GET /wp-content/plugins/wp-zipp/wp-zipp.php HTTP/1.0" 200 345 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0" 188.163.110.84 - - [13/Mar/2017:05:19:33 +0200] "GET /wp-content/plugins/wp-zipp/wp-zipp.php HTTP/1.1" 200 308 "-" "Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/17.0 Firefox/17.0" 188.163.110.84 - - [13/Mar/2017:05:19:35 +0200] "POST /wp-content/plugins/wp-zipp/wp-zipp.php HTTP/1.1" 200 7422 "-" "Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/17.0 Firefox/17.0" 188.163.110.84 - - [13/Mar/2017:05:19:37 +0200] "POST /wp-content/plugins/wp-zipp/wp-zipp.php HTTP/1.1" 200 6953 "-" "Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/17.0 Firefox/17.0"
WP-Zipp.zip
If we extracted this zipped file, the file content is:
-rw-r--r-- 1 malware malware 25045 Mar 11 23:20 wp-zipp.php drwxr-xr-x 3 malware malware 4096 Dec 1 2014 _inc drwxr-xr-x 2 malware malware 4096 Dec 1 2014 views -rw-r--r-- 1 malware malware 2417 Aug 18 2014 akismet.php -rw-r--r-- 1 malware malware 34873 Aug 18 2014 class.akismet-admin.php -rw-r--r-- 1 malware malware 36091 Aug 18 2014 class.akismet.php -rw-r--r-- 1 malware malware 2719 Aug 18 2014 class.akismet-widget.php -rw-r--r-- 1 malware malware 26 Aug 18 2014 index.php -rw-r--r-- 1 malware malware 8521 Aug 18 2014 readme.txt -rw-r--r-- 1 malware malware 9698 Aug 18 2014 wrapper.php
WP-Zipp.php
Lets if we look POST payloads WP-Zipp. PHP, it contains a crypted FilesMan backdoor:
Final words
Use Malware Expert – Signatures detect this malware from files for FREE!