WordPress Plugin – wp-zipp.php

Today we found new malware WP-Zipp.zip which is a WordPress plugin. The attacker is somehow before with another vulnerability created a user account with WordPress and it uploads own malware plugin, which contains a FilesMan remote shell.

Access log

As we see, just direct access to WordPress and install WP-Zipp plugin:

188.163.110.84 - - [13/Mar/2017:01:39:32 +0200] "POST /wp-login.php HTTP/1.0" 302 1178 "https://malware.expert/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0"
188.163.110.84 - - [13/Mar/2017:01:39:33 +0200] "GET /wp-admin/index.php HTTP/1.0" 200 156715 "https://malware.expert/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0"
188.163.110.84 - - [13/Mar/2017:01:39:40 +0200] "GET /wp-admin/plugin-install.php?tab=upload HTTP/1.0" 200 145117 "https://malware.expert/wp-admin/plugin-install.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0"
188.163.110.84 - - [13/Mar/2017:01:39:41 +0200] "POST /wp-admin/update.php?action=upload-plugin HTTP/1.0" 200 137883 "https://malware.expert/wp-admin/plugin-install.php?tab=upload" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0"
188.163.110.84 - - [13/Mar/2017:01:39:53 +0200] "GET /wp-content/plugins/wp-zipp/wp-zipp.php HTTP/1.0" 200 345 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0"
188.163.110.84 - - [13/Mar/2017:05:19:33 +0200] "GET /wp-content/plugins/wp-zipp/wp-zipp.php HTTP/1.1" 200 308 "-" "Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/17.0 Firefox/17.0"
188.163.110.84 - - [13/Mar/2017:05:19:35 +0200] "POST /wp-content/plugins/wp-zipp/wp-zipp.php HTTP/1.1" 200 7422 "-" "Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/17.0 Firefox/17.0"
188.163.110.84 - - [13/Mar/2017:05:19:37 +0200] "POST /wp-content/plugins/wp-zipp/wp-zipp.php HTTP/1.1" 200 6953 "-" "Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/17.0 Firefox/17.0"

WP-Zipp.zip

If we extracted this zipped file, the file content is:

-rw-r--r-- 1 malware malware 25045 Mar 11 23:20 wp-zipp.php
drwxr-xr-x 3 malware malware  4096 Dec  1  2014 _inc
drwxr-xr-x 2 malware malware  4096 Dec  1  2014 views
-rw-r--r-- 1 malware malware  2417 Aug 18  2014 akismet.php
-rw-r--r-- 1 malware malware 34873 Aug 18  2014 class.akismet-admin.php
-rw-r--r-- 1 malware malware 36091 Aug 18  2014 class.akismet.php
-rw-r--r-- 1 malware malware  2719 Aug 18  2014 class.akismet-widget.php
-rw-r--r-- 1 malware malware    26 Aug 18  2014 index.php
-rw-r--r-- 1 malware malware  8521 Aug 18  2014 readme.txt
-rw-r--r-- 1 malware malware  9698 Aug 18  2014 wrapper.php

WP-Zipp.php

Lets if we look POST payloads WP-Zipp. PHP, it contains a crypted FilesMan backdoor:

wp-zipp.php

Final words

Use Malware Expert – Signatures detect this malware from files for FREE!