Fake plugins that mine crypto-currencies are targeting WordPress servers

Researchers from Sucuri, a website security as well as threat detection firm just spotted a number of WordPress plugins capable of helping mine crypto-currency in a clandestine manner on infected systems. The perpetrator could clandestinely load malware onto the server as well as execute it, including one binary file that would facilitate in mining crypto-currencies. Named "Multios.Coinminer.Miner-6781728-2," the binary file when run on the host machine works quietly unnoticed, consuming server resources for stealthily mining crypto-currencies that ends up with the attacker.

Reports state that a few of the mentioned fake plugins carrying functionalities of backdoor while known as 'updrat123' or 'initiatorseo' were found forging UpdraftPlus' functional pedagogy after the perpetrators hijacked the WordPress plugin in backup state. The plugin has a wide-spread use, with more than 2m installations at present.

The malicious plugins prominently stay concealed from the end-users as they carry out their tasks on WordPress dashboard of the hijacked sites. The said plugins are so created that they do not appear in view of the end-users.

They function as infiltrators attacking the WordPress sites and thereby letting the attackers gain complete entry into the servers in spite of elimination of the real contaminated medium. The plugins would respond to the attackers' "GET request" command utilizing attributes namely 'testingkey' else 'initiationactivity.' The infiltrators, by using POST requests, inject contaminated files inside the system that hosts the contaminated sites. www.cryptonewsz.com posted this dated October 20, 2019.

There are certain parameters in the above mentioned requests carrying information regarding web-address' download location, the channel reserved for writing the files on, as well as the names to be given to the files installed. Sucuri researchers saw web shells that the attackers installed. Web shells are malevolent strings of code giving attackers admission into the server from remote. Such web shells were installed inside arbitrarily chosen places on servers hosting the hijacked websites.

The researchers further uncovered one more type of fraudulent plugins which, in addition to giving attackers certain backdoor onto hijacked websites featuring WordPress functionality, facilitates them with exploiting system resources of the servers, hosting the websites, for mining Bitcoin.

» SPAMfighter News - 10/25/2019