WordPress plugin detected a backdoor

The backdoor was contained in the fake X-WP-SPAM-SHIELD-PRO plugin

An unknown hacker introduced a backdoor into the source code of the WordPress plugin that masquerades as an anti-spam tool called X-WP-SPAM-SHIELD-PRO.

Apparently, the attacker tried to use the reputation of a popular tool to protect against spam WordPress WP-SpamShield Anti-Spam. The fake plugin contains a backdoor allowing the hacker to create his own administrator account on the attacked site, upload files to the victim’s servers, disable all plug-ins, etc.

Malicious behavior extends to all files of a fake plugin. In particular, the file class-social-facebook.php disguises itself as a means of protection from spam in social networks and sends an attacker a list of user’s plug-ins and turns them off if necessary. The purpose of disabling all plug-ins is to deactivate all plug-ins blocking access to authorization functions or detecting unauthorized login attempts. Files class-term-metabox-formatter.php and class-admin-user-profile.php send an attacker information about the version of WordPress and a list of all users with administrator rights. Plugin-header.php adds an account with administrator rights under the name mw01main. The wp-spam-shield-pro.php file is associated with a hacker’s server located on mainwall.org, informing him about the installation of a malicious plug-in by a new user. The information transmitted by this file includes the credentials, the URL of the infected site, and the IP address of the server. Wp-spam-shield-pro.php also contains malicious code that allows an attacker to download a ZIP-archive to the victim’s site, unpack it and execute the files stored inside.

According to security experts from Sucuri, to spread the fake, the attacker used a compromised version of the well-known plug-in package for WordPress All In One SEO Pack. The attacker did not publish the plugin in the official WordPress repository, distributing it through other sources.

Let’s remind, earlier the backdoor was found in one more plug-in for WordPress – Display Widgets. The malicious code was detected in the versions of Display Widgets 2.6.1 and Display Widgets 2.6.3. By the time the WordPress team removed the malicious versions of the plug-in from the official repository, more than 200,000 users had already installed them.