WordPress sites targeted by malicious plugin disguised as security tool
Date:
Mon, 05 May 2025 11:24:00 +0000
Description:
AI used to help create a very realistic-looking threat.
FULL STORY ======================================================================Wordfenc e researchers uncover a new piece of WordPress malware Threat actors used AI to create legitimate-looking tools The malware pretends to be an anti-malware product
Security researchers have discovered a piece of WordPress malware pretending to be an antimalware solution. In late April, Marko Wotschka from the Wordfence team published a new blog post detailing an interesting WordPress malware: it appears in the file system as a normal WordPress plugin, often with the name WP-antymalwary-bot.php.
While looking inconspicuous at first, the researchers discovered that this plugin contains several functions that allows attackers to persist on the target website, hide the plugin from the dashboard, and remotely execute
code.
Pinging functionality that can report back to a Command & Control (C&C)
server is also included, as is code that helps spread malware into other directories and inject malicious JavaScript responsible for serving ads, Wotschka explained.
Get Keeper Personal for just $1.67/month, Keeper Family for just
$3.54/month, and Keeper Business for just $7/month
Keeper is a cybersecurity platform primarily known for its password manager and digital vault, designed to help individuals, families, and businesses securely store and manage passwords, sensitive files, and other private data.
It uses zero-knowledge encryption and offers features like two-factor authentication, dark web monitoring, secure file storage, and breach alerts
to protect against cyber threats.
Preferred partner ( What does this mean? ) View Deal Compromised hosting accounts
Wordfence first discovered the malicious plugin during a January 2025 site cleanup, when they discovered a modified wp-cron php file.
It created and programmatically activated the malware which was also found to have been using the names addons.php, wpconsole.php, wp-performance-booster.php, and scr.php.
If the website admin deletes the plugin, wp-cron recreates and reactivates it automatically.
Wordfence couldnt determine who the threat actors behind the attacks are, or how they managed to compromise these websites.
There were no logs to analyze, which is why the researchers speculated that the infection happened either via a compromised hosting account, or FTP credentials. They also managed to determine that the C2 server is located in Cyprus, and that a similar attack was already seen back in June 2024.
Another thing that makes this malware interesting - as Wordfence put it - is the apparent use of Generative Artificial Intelligence (AI) in code writing.
Its not the use of AI per se thats interesting, but rather the fact that AI helps threat actors create more legitimate appearing malware.
Via BleepingComputer You might also like US government warns this popular
CMS software has a worrying security flaw Take a look at our guide to the
best authenticator app We've rounded up the best password managers
======================================================================
Link to news story:
https://www.techradar.com/pro/security/wordpress-sites-targeted-by-malicious-p lugin-disguised-as-a-security-tool
--- Mystic BBS v1.12 A47 (Linux/64)
* Origin: tqwNet Technology News (1337:1/100)