From blog.sucuri.net
We recently noticed an interesting example of network infrastructure resources being used over a period of time by more than one large scale malware campaign (e.g redirected traffic, cryptomining). This was discovered when reviewing sources of the various malicious domains used in a recent WordPress plugin exploit wave.
Mass Infection of WordPress Websites
The latest Easy SMTP plugin vulnerability has resulted in many infected WordPress websites. The first wave of exploits seemed to follow a similar methodology as the first wave of GDPR plugin exploits in late 2018:
- The malicious user exploits the vulnerability and enables new user registration with the default user level set to administrator, then creates a new admin user.
- The new user with admin privileges is used to upload PHP backdoors to the website files and update the site_url to a domain controlled by a malicious user.
- The new site_url redirects the infected website’s visitors to the domain controlled by the malicious user, which loads JavaScript to track the visitor via cookies. Then it redirects to a new malicious URL.