New Linux Malware Exploiting 20+ CMS Flaws in WP Sites

New Linux Malware Exploiting 20+ Cms Flaws In Wp Sites


New Linux malware has emerged that takes advantage of security vulnerabilities within WordPress themes and plugins of websites that run on a Linux platform. Executing Javascript to target the website’s source code, the malware can help cybercriminals launch DDoS attacks, access sensitive data, and redirect users to malicious websites.

This article will provide a comprehensive overview of this new Linux malware, discussing how it works, the CMS flaws that can be exploited, and what can be done to prevent such an attack. 

What Is a Linux Malware Attack?

Many of today’s cloud environments are based on a Linux operating system. Because of this, cyberattacks aimed directly at web hosts that use Linux are on the rise. By successfully infiltrating a Linux environment, cybercriminals can access a range of sensitive data, execute malware, and potentially cause long-term damage to IT infrastructure. 

New Linux Malware Found
Linux malware warning

Since 2020, trojan viruses and ransomware have been the most common forms of Linux-based malware attacks. 

Vulnerabilities, such as the latest WordPress CMS flaws, have compromised networks. Other vulnerabilities include a lack of authentication on a network or a server misconfiguration. Unfortunately, such attacks have been rather successful in recent years and are becoming more sophisticated and diverse, causing headaches for cybersecurity teams. 

The Types of Linux Malware Attacks

There are many different ways a threat actor can execute a malware attack. Below are some of the most common types.

Malware that targets VM images 

Malware is constantly improving, finding new vulnerabilities that are targeted with impressively thought-out attacks by skilled cybercriminals. One such attack involves targeting Virtual Machine (VM) images that are used to handle workloads.

By doing so, threat actors can gain access to valuable resources hosted on the cloud, allowing them to cause havoc.


Cryptojacking can be very lucrative for cybercriminals, using the victim’s IT resources to generate cryptocurrency. Even global companies such as Tesla have been victims of such an attack.

Cryptojacking malware exploits systems that lack advanced security, allowing hackers to hijack systems and mine crypto at the expense of the victim.

Fileless Linux attacks

Using the open-source, Golang-written Ezuri tool, hackers can encrypt malware, decrypt it on a breached network and leave no trace on the system disk. This allows the malware to bypass antivirus software.

The cybercriminal group TeamTNT commonly uses this technique. For large organizations, this can have extreme consequences, breaching compliance regulations. Safeguarding against such attacks can go a long way in ensuring PCI compliance and adhering to other regulatory guidelines.

Pci Compliance Explanation
Explains PCI Compliance

Nation-state groups are increasing their attacks on Linux environments, and this is particularly evident in the Russia-Ukraine war. The main goal of these malware attacks is to disrupt communications and destroy data. 

How WP Websites Are Being Targeted by New Linux Malware 

A new Linux malware strain that was not previously known to cybersecurity experts has been targeting WordPress websites, or more accurately, over twenty plugins and themes. 

The Russian security vendor Doctor Web has analyzed this new threat, highlighting the potential vulnerabilities. A representative from Doctor Web stated in a recent report, “If sites use outdated versions of such add-ons, lacking crucial fixes, the targeted web pages are injected with malicious JavaScripts. As a result, when users click on any area of an attacked page, they are redirected to other sites.”

The attacks target specific websites with vulnerable plugins and themes to deploy malware. This helps create a network of websites (botnets) that cybercriminals have remote access to, allowing them to conduct various activities. JavaScript can also be injected into a system retrieved by a remote server, redirecting users who access a breached website and sending them to a malicious website.

Another backdoor version of the attack involved a previously unknown command-and-control (C2) domain, in addition to targeting the 20+ WordPress CMS flaws.

In either case, the attacker uses a brute-force method to infiltrate WordPress admin accounts. Doctor Web added, “If such an option is implemented in newer versions of the backdoor, cybercriminals will even be able to successfully attack some of those websites that use current plugin versions with patched vulnerabilities.” 

20+ CMS Flaws That Have Been Exploited

The list of vulnerable themes and plugins that the Linux malware has exploited includes:

  • Blog Designer (< 1.8.12)
  • Brizy
  • Coming Soon & Maintenance Mode (<= 5.1.0)
  • Delucks SEO
  • Easy WP SMTP (1.3.9)
  • FV Flowplayer Video Player
  • Hybrid
  • Live Chat with Messenger Customer Chat by Zotabox (< 1.4.9)
  • ND Shortcodes (<= 5.8)
  • Newspaper (CVE-2016-10972, 6.4 – 6.7.1)
  • Onetone
  • Poll, Survey, Form & Quiz Maker by OpinionStage
  • Post Custom Templates Lite (< 1.7)
  • Rich Reviews
  • Simple Fields
  • Smart Google Code Inserter (discontinued as of January 28, 2022, < 3.5)
  • Social Metrics Tracker
  • Thim Core
  • Total Donations (<= 2.0.5)
  • WooCommerce
  • WordPress Ultimate FAQ (CVE-2019-17232 and CVE-2019-17233, 1.24.2)
  • WPeMatico RSS Feed Fetcher, and
  • WP GDPR Compliance (1.4.2)
  • WP Live Chat (8.0.27)
  • WP Live Chat Support
  • WP-Matomo Integration (WP-Piwik)
  • WP Quick Booking Manager
  • Yellow Pencil Visual CSS Style Editor (< 7.2.0)
  • Yuzo Related Posts (5.12.89)

Previous WordPress Malware Attacks

Threat intelligence and research organization Fortinet FortiGuard Labs revealed another botnet (a group of breached internet-connected devices) known as GoTrim. This network was created using brute-force techniques on self-hosted websites that use the WordPress CMS, giving them full control of the system. 

Sucuri, a website security & protection platform owned by GoDaddy, identified over 15,000 breached WordPress websites at the end of 2022. This was part of an overall malware campaign aimed at redirecting website visitors to Q&A portals controlled by cybercriminals. As of January 2023, over 9,000 of these websites were still infected.

In the summer of 2022, Sucuri also released a report that detailed a traffic direction system (TDS) dubbed ‘“Parrot” that targeted WordPress websites using JavaScript-based malware. 

How To Prevent Linux Malware Attacks

To prevent such an attack, all WordPress users are advised to update all components of their websites, including any third-party plugins and themes. As a best practice, users should also use strong passwords and unique login details for each user to increase security. 

Website owners should also take regular backups of their data, reducing the chance of being a victim of a ransomware attack, while it is also recommended to install regularly-updated, premium security plugins.

Wrapping Up

This newly identified attack targets over 20 WordPress plugins and themes hosted on a Linux environment, allowing cybercriminals to execute malware. Many of these attacks involve redirecting website visitors to bogus websites, while others help hackers develop botnets that can be used for a range of crimes.

WordPress users can prevent such an attack by keeping all plugins and themes updated and using strong login credentials. The majority of websites that have fallen victim to malware attacks are poorly maintained, have minimal security installed, and use weak passwords. 


Source link