Some WordPress sites have been targeted From an unknown strain of malware that runs on Linux operating systems and exploits flaws in well over 24 plugins and themes to compromise vulnerable systems, comes a curious piece of malware.

How does this curious Linux malware that targets WordPress behave and what security problems can it cause?

“If the sites use outdated versions of those add-ons, lacking crucial fixes, on the web pages in question come [successivamente] inject with [codice] Malicious JavaScript“said the well-known Russian cybersecurity site DoctorWeb in a report released last week. “As a result, when users click on any area of ​​an attacked page, they are redirected to other sites“.

The attacks involve using a number of known security vulnerabilities in 19 different plugins and themes that are quite common on WordPress sites, and are later used to deploy a rig that can target a specific website to expand to wildfire on other sites as well (not necessarily of the well-known blog platform).

This mechanism is also capable of injecting JavaScript code retrieved from a remote server to redirect site visitors to a malicious website chosen by potential cyber criminals.

Doctor Web said it has identified a second version of the backdoor, which uses a new command and control (C2) domain and an updated list of defects involving as many as 11 additional WordPress plugins, bringing the total to 30.

The list of WordPress plugins targeted by this bug (with their English-language names) is as follows:

It appears that both detected variants of the aforementioned malware include an unimplemented method to brute force WordPress admin accounts, although it is not clear whether this is a remnant of a previous version or a feature that needs to yet to be found in the source code.

The advice that can be given to WordPress users is that to keep all platform components up-to-date, including third-party add-ons and themes e we also recommend that you use secure, unique logins and passwords to protect your accounts.

The disclosure of this damage comes weeks after Fortinet FortiGuard Labs detailed another botnet called GoTrimwhich was designed to force self-hosted websites using the WordPress content management system (CMS) to take over the targeted systems.

Last month, Sucuri reported that more than 15,000 WordPress sites were hacked as part of a series of attacks, aimed at redirecting visitors to fake question and answer portals; the number of active infections is currently 9,314 (sites can be seen at this list).

Security firm GoDaddy also shared information in June 2022 about a traffic guidance system (TDS) known as Parrotwhich has been seen targeting WordPress sites with unauthorized JavaScript code that drops additional malware on compromised systems.

Don’t worry, don’t be alarmed

If you’re a user who switched to some Linux distribution (Linux Lite, ZorinOS, etc.) to “not have the problems you have on Windows”, don’t panic, however, it is difficult for this thing to get to you.

Remember, if you fear repercussions, on the most common browsers it is however possible to deactivate the JavaScript scripts; of course it will be enough to do it only if you access WordPress (or related sites) and some contents will not go perfectly, but it’s a temporary thing that will fix itself quickly.