A malicious campaign has been uncovered targeting over 5,000 WordPress websites, where attackers create fraudulent administrator accounts, install malicious plugins, and exfiltrate sensitive data. Experts from c/side, a web script security firm, identified this activity during an incident response for one of their clients.
The campaign leverages the domain wp3[.]xyz for data transmission. The initial infection vector remains unknown. Once a site is compromised, a malicious script from the domain creates an administrator account named wpx_admin, embedding its credentials within the site’s code.
The script subsequently downloads and activates a malicious plugin named plugin.php from the same domain. According to c/side, this plugin is designed to harvest sensitive information, including administrator credentials and logs, which are then transmitted to the attackers’ server. The data transfer is obfuscated to appear as image requests.
The attack incorporates validation mechanisms, such as logging the status after account creation and confirming the plugin’s installation.
To mitigate such attacks, c/side experts recommend the following measures:
- Block the domain wp3[.]xyz using firewalls and security tools.
- Audit all privileged accounts and installed plugins, removing any suspicious elements.
- Strengthen defenses against CSRF attacks by implementing unique tokens, server-side validation, and periodic token regeneration. Tokens should have a limited lifespan.
- Configure multi-factor authentication (MFA) to safeguard accounts with potentially compromised credentials.
These widespread attacks on WordPress sites underscore the critical importance of routine security audits and proactive defenses. Neglecting such measures can result in the loss of sensitive data and control over your resources.
