A few weeks ago, a critical unauthenticated privilege escalation vulnerability was discovered in older, unpatched versions of the wp-user-avatar plugin. It also allows for arbitrary file downloads, which is where we saw infections start. This plugin has over 400,000 installations, so we have seen a sustained campaign to infect sites with this plugin installed. In this article, I will review a common infection resulting from this vulnerability in the wp-user-avatar plugin. If you have this plugin on your website, be sure to update it immediately!
Upload a backdoor to a website
First, as is usually the case with such malware campaigns, attackers start by downloading a backdoor to the website. With this infection, they abused the download feature of the wp-user-avatar plugin. Files tend to be located in the following directories used by this plugin:
./wp-content/uploads/pp-avatar ./wp-content/uploads/pp-files Here's an example backdoor that we have seen: ./wp-content/uploads/pp-files/tgvtfjwxdg.php
Downloaded backdoors tend to have random names like this:
05f37e8554c702cb916d2e792cd3e214.php 6c90b559bab0e8c0d71a9f48a45cd731.php a08dd83861a5acb8ad242bb66b80ba7a.php e2be10491059abfc31bfed87d1c441d2.php Here's another example of an uploaded backdoor using this plugin. ./wp-content/uploads/pp-files/jfs.php
The file is huge, but it’s worth noting that it contains this snippet at the end which removes the vulnerable directory after infection:
Why they would do this is a puzzle; perhaps they are also preventing other attackers from compromising the site.
The vulnerability also allows attackers to create an administrator account without any authentication, which gives them additional access to the website.
Fake “Zend Fonts” plugin
However, the main payload that we have seen uploaded to websites is a fake “Zend Fonts” plugin:
After verification, no such plugin actually exists in the WordPress repository. Typical with such bogus plugins, the top of the file looks harmless and legitimate:
But taking a closer look at the code, we can see that it is completely bogus and in fact redirects website visitors to bogus scam sites.
To note: If your website visitors have reported strange redirects, your website may be compromised by this malware.
Functions of the bogus “Zend Fonts” plugin
Let’s take a look at some parts of this fake Zend Fonts plugin. The malware writers actually left comments in their code explaining all of the different functions! This could help those to whom they sell their malicious code to modify it later to better meet their needs.
One of the simplest functions of this malware is quite typical of these bogus plugins: hiding it from view in wp-admin:
An interesting detail here is that the malware creates a database table called wzen_time_table and dumps the information retrieved from the administrator users on the site:
The user agent and the IP address of all admin users are stored in this table which it uses to prevent redirection from occurring to identified admin users:
I can only assume that they are adding this feature in order to help stay hidden from admins for as long as possible to extend the effect of their payload.
Speaking of which, that brings me to the last part of the infection here:
Lots of base64 encoded strings here, but once decoded we end up with the following redirect code:
Which sends website visitors (but not the admin!) To spam sites like this:
Users who click on these fraudulent links may be prompted to install Trojans or other malware on their devices or be redirected to phishing pages to enter sensitive data such as banking information or other corporate information. connection.
The area of payload differs from variant to variant of this malware. In some cases, we’ve seen it leverage a legitimate ad network to grab the redirect payload domain:
This could help attackers redirect to a more diverse variety of areas. It could also potentially increase traffic to any sites that are part of their ad campaigns of choice, such as those using blackhat SEO to improve their rankings and visitors.
Prevention of website attacks
The best way to ensure that your website does not fall victim to such an attack is to make sure that all of the software on your website is up to date. This is sometimes a daily chore ritual and it can be overwhelming to master, especially if you don’t have a dedicated website developer.
The easiest way to make sure your website is up to date with all the latest fixes is to turn on automatic updates for your plugins and themes. You should always use it in conjunction with a daily backup service for your website, as sometimes plugin and wordpress updates can cause incompatibilities that can damage your website or cause errors.
If wp-cli is installed on your website, you can also configure a cron job on your server to run the following command daily:
php wp-cli.phar plugin update --all
Again, this should always be implemented with a regular backup service in case you need to restore from previous versions!
Prevent PHP from running
Another thing we recommend you do is harden the wp-content / uploads directory by placing a .htaccess with the following code inside:
deny from all
This would prevent any PHP script from running from the uploads directory in an Apache environment. Even if an attacker were able to download their backdoor, there wasn’t much they could do with it.
Our website firewall service can help prevent your website from being infected with vulnerable plugins. In the advanced security options panel, there is an option to prevent any downloading of PHP or executable content:
Regardless of the vulnerability of the plugin in question, attackers would not be able to deliver their payload.
WordPress plugins operated
This example is just the most recent of an aggressive push by attackers to exploit vulnerable plugins in the WordPress repository. Fortunately, security researchers were just as aggressive in locating these vulnerable plugins and contacting the developers to implement a fix. However, even after fixes are released, many website owners do not install them immediately, if ever.
If you want to help prevent your website from these types of attacks, or if you need help removing malware, consider signing up for our security plan!