WP3.XYZ Malware Hijacks 5,000+ WordPress Sites with Rogue Admins

by | Jan 15, 2025 | News

WP3.XYZ Malware Hijacks 5,000+ WordPress Sites with Rogue Admins

Post Views: 319




Join our Patreon Channel and Gain access to 70+ Exclusive Walkthrough Videos.

Patreon
Reading Time: 3 Minutes

A newly discovered malware campaign has compromised over 5,000 WordPress sites using WP3.XYZ malware, creating rogue admin accounts, installing malicious plugins, and exfiltrating sensitive data.

Malware Activity Overview

Researchers at web security firm c/side identified the campaign during an incident response investigation for a client. The attacks center around the malicious domain wp3[.]xyz, used to deploy scripts and exfiltrate data.

Key Steps in the Attack

  1. Rogue Admin Account Creation

    • A malicious script loaded from wp3[.]xyz creates an admin account named wpx_admin.
    • Credentials for this account are hard-coded in the malware script.
     

    Creating a rogue admin accountCreating a rogue admin account
    Source: c/side

  2. Malicious Plugin Deployment

    • The script downloads and activates a plugin named plugin.php from the same domain.
    • This plugin collects sensitive data such as administrator credentials and activity logs.
    • Data exfiltration is disguised as image requests to evade detection.

  3. Verification Mechanism

    • The malware verifies successful creation of the rogue admin account and plugin installation, logging the operation status for attackers.
 

See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses




Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.

Mitigation and Protection Strategies

To protect WordPress sites from this malware campaign, c/side recommends the following actions:

  1. Block Malicious Domains
    • Use firewalls or security tools to block access to wp3[.]xyz and other known malicious domains.
  2. Audit User Accounts and Plugins
    • Regularly review privileged accounts to identify and remove unauthorized users like wpx_admin.
    • Examine installed plugins and delete any unauthorized or suspicious entries.
  3. Enhance Cross-Site Request Forgery (CSRF) Protections
    • Implement unique token generation for requests.
    • Enable server-side validation of tokens.
    • Use periodic regeneration of tokens with short expiration times to reduce their effectiveness if stolen.
  4. Strengthen Authentication
    • Enable multi-factor authentication (MFA) for administrator accounts to reduce the risk of credential-based attacks.

Trending: NIS2 Directive: A Strategic Blueprint for Cyber Security and the Importance of Pentesting




Trending: Offensive Security Tool: XSRFProbe

Additional Recommendations

  • Keep WordPress installations and plugins updated to patch known vulnerabilities.
  • Monitor server logs for unusual activity, including unexpected image requests.
  • Conduct regular security assessments to identify and mitigate weak points in your website’s infrastructure.

Trending: New Mirai-Based Botnet Exploits Zero-Day Vulnerabilities in Industrial and Smart Devices

Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]

Source: bleepingcomputer.com

Source Link

Merch

Recent News

EXPLORE OUR STORE

Offensive Security & Ethical Hacking Course

Begin the learning curve of hacking now!

Information Security Solutions

Find out how Pentesting Services can help you.

Join our Community

Share This