New Linux Malware Exploiting 20+ CMS Flaws in WP Sites
February 6, 2023
This article will provide a comprehensive overview of this new Linux malware, discussing how it works, the CMS flaws that can be exploited, and what can be done to prevent such an attack.
What Is a Linux Malware Attack?
Many of today’s cloud environments are based on a Linux operating system. Because of this, cyberattacks aimed directly at web hosts that use Linux are on the rise. By successfully infiltrating a Linux environment, cybercriminals can access a range of sensitive data, execute malware, and potentially cause long-term damage to IT infrastructure.
Vulnerabilities, such as the latest WordPress CMS flaws, have compromised networks. Other vulnerabilities include a lack of authentication on a network or a server misconfiguration. Unfortunately, such attacks have been rather successful in recent years and are becoming more sophisticated and diverse, causing headaches for cybersecurity teams.
The Types of Linux Malware Attacks
There are many different ways a threat actor can execute a malware attack. Below are some of the most common types.
Malware that targets VM images
Malware is constantly improving, finding new vulnerabilities that are targeted with impressively thought-out attacks by skilled cybercriminals. One such attack involves targeting Virtual Machine (VM) images that are used to handle workloads.
Cryptojacking can be very lucrative for cybercriminals, using the victim’s IT resources to generate cryptocurrency. Even global companies such as Tesla have been victims of such an attack.
Cryptojacking malware exploits systems that lack advanced security, allowing hackers to hijack systems and mine crypto at the expense of the victim.
Fileless Linux attacks
Using the open-source, Golang-written Ezuri tool, hackers can encrypt malware, decrypt it on a breached network and leave no trace on the system disk. This allows the malware to bypass antivirus software.
The cybercriminal group TeamTNT commonly uses this technique. For large organizations, this can have extreme consequences, breaching compliance regulations. Safeguarding against such attacks can go a long way in ensuring PCI compliance and adhering to other regulatory guidelines.
Nation-state groups are increasing their attacks on Linux environments, and this is particularly evident in the Russia-Ukraine war. The main goal of these malware attacks is to disrupt communications and destroy data.
How WP Websites Are Being Targeted by New Linux Malware
A new Linux malware strain that was not previously known to cybersecurity experts has been targeting WordPress websites, or more accurately, over twenty plugins and themes.
Another backdoor version of the attack involved a previously unknown command-and-control (C2) domain, in addition to targeting the 20+ WordPress CMS flaws.
In either case, the attacker uses a brute-force method to infiltrate WordPress admin accounts. Doctor Web added, “If such an option is implemented in newer versions of the backdoor, cybercriminals will even be able to successfully attack some of those websites that use current plugin versions with patched vulnerabilities.”
20+ CMS Flaws That Have Been Exploited
The list of vulnerable themes and plugins that the Linux malware has exploited includes:
Blog Designer (< 1.8.12)
Coming Soon & Maintenance Mode (<= 5.1.0)
Easy WP SMTP (1.3.9)
FV Flowplayer Video Player
Live Chat with Messenger Customer Chat by Zotabox (< 1.4.9)
ND Shortcodes (<= 5.8)
Newspaper (CVE-2016-10972, 6.4 – 6.7.1)
Poll, Survey, Form & Quiz Maker by OpinionStage
Post Custom Templates Lite (< 1.7)
Smart Google Code Inserter (discontinued as of January 28, 2022, < 3.5)
WordPress Ultimate FAQ (CVE-2019-17232 and CVE-2019-17233, 1.24.2)
WPeMatico RSS Feed Fetcher, and
WP GDPR Compliance (1.4.2)
WP Live Chat (8.0.27)
WP Live Chat Support
WP-Matomo Integration (WP-Piwik)
WP Quick Booking Manager
Yellow Pencil Visual CSS Style Editor (< 7.2.0)
Yuzo Related Posts (5.12.89)
Previous WordPress Malware Attacks
Threat intelligence and research organization Fortinet FortiGuard Labs revealed another botnet (a group of breached internet-connected devices) known as GoTrim. This network was created using brute-force techniques on self-hosted websites that use the WordPress CMS, giving them full control of the system.
Sucuri, a website security & protection platform owned by GoDaddy, identified over 15,000 breached WordPress websites at the end of 2022. This was part of an overall malware campaign aimed at redirecting website visitors to Q&A portals controlled by cybercriminals. As of January 2023, over 9,000 of these websites were still infected.
How To Prevent Linux Malware Attacks
To prevent such an attack, all WordPress users are advised to update all components of their websites, including any third-party plugins and themes. As a best practice, users should also use strong passwords and unique login details for each user to increase security.
Website owners should also take regular backups of their data, reducing the chance of being a victim of a ransomware attack, while it is also recommended to install regularly-updated, premium security plugins.
This newly identified attack targets over 20 WordPress plugins and themes hosted on a Linux environment, allowing cybercriminals to execute malware. Many of these attacks involve redirecting website visitors to bogus websites, while others help hackers develop botnets that can be used for a range of crimes.
WordPress users can prevent such an attack by keeping all plugins and themes updated and using strong login credentials. The majority of websites that have fallen victim to malware attacks are poorly maintained, have minimal security installed, and use weak passwords.