WP3.XYZ malware attacks add rogue admins to 5,000+ WordPress sites
A new malware campaign has compromised more than 5,000 WordPress sites to create admin accounts, install a malicious plugin, and steal data.
Researchers at webscript security company c/side discovered during an incident response engagement for one of their clients that the malicious activity uses the wp3[.]xyz domain to exfiltrate data but have yet to determine the initial infection vector.
After compromising a target, a malicious script loaded from the wp3[.]xyz domain creates the rogue admin account wpx_admin with credentials available in the code.
The script then proceeds to install a malicious plugin (plugin.php) downloaded from the same domain, and activates it on the compromised website.
According to c/cide, the purpose of the plugin is to collect sensitive data, like administrator credentials and logs, and send it to the attacker’s server in an obfuscated way that makes it appear as an image request.
The attack also involves several verification steps, such as logging the status of the operation after the creation of the rogue admin account and verifying the installation of the malicious plugin.
