The threatening actors use the MU-planning catalog on WordPress websites to hide the malicious code to maintain permanent remote access and redirect site visitors to fake sites.
Mu-meline shortened for Required plugsrefers to plugins in a special directory (“WP-Content/Mu-Plugins”), which are automatically performed by WordPress without having to turn them clearly through the administrator’s dashboard. It also makes the catalog the perfect place for malware.
“This approach is a tendency because the MU-Plane (the plugin of the compulsory use) is not made in the standard WordPress plugin interface, making them less noticeable and easier to ignore during the usual security checks,”-Puja Susour Susour Srivastava – Note In the analysis.
In the incidents analyzed by the site security company, three different types of PHP Rogue PHP –
- “WP-Content/Mu-Plugins/Refirect.php”, which redirects site visitors to external harmful site
- “WP-Content/Mu-Plugins/Index.php”, which offers a functionality similar to a web barrel Located on GitHub
- “WP-Content/Mu-Plugins/Custom-js- Loader.php”, which introduces an unwanted spam on the infected website, probably to promote scrap or manipulate SEO ratings by replacing all the images on the obvious content and stealing the weekend links to the malicious sites
“Redirect.php,” Sukur said, disguised as an update web browser to trick the victims to install malicious software that can steal data or give up additional useful loads.
“The scenario includes a function that determines whether the current visitor is a bot,” Schrevostava explained. “This allows the scripts to exclude the search engine expanses and prevent them from detecting redirect behavior.”
Development comes when there is a threat continuation relate infected WordPress sites As a base for deception of the site visitors to execute malicious PowerShell commands on their Windows computers under the guise of Google Recaptcha or Cloudflare CAPTCHA Verification – A – A – A – A – A – A – A – A – A – A – A – A – A – A – common tactics called Clickfix – And deliver malicious software for theft of Lumma.
Also used hacked WordPress sites Redirect visitors to unwanted third domains either act like a skimer For the siphon financial information was introduced on the pages of the box office.
Currently, it is unknown how the sites may be broken, but ordinary suspects are vulnerable plugins or topics, violated administrator credentials and the wrong server configurations.
According to the new Patchstack report, the threatening subjects regularly exploited Four different security vulnerabilities since the beginning of the year –
- CVE -2024-27956 (CVSS Assessment: 9.9) – Invalid arbitrary vulnerability of SQL in Automatic Plugin WordPress – AI content generator and automatic poster plugin
- CVE- 2024-25600 (CVSS Assessment: 10.0)- Invalid Vulneration of the Remote Code in Brick
- CVE-2024-8353 (CVSS Assessment: 10.0) —NeSauted PHP facility for remote vulnerability code in Givewp plugins
- CE-2024-4345 (CVSS Assessment: 10.0) -Nid arbitrary vulnerability file in Adlynor Addons Addons for WordPress for WordPress
To mitigate the risks provided by these threats, it is important that WordPress owners support plugins and topics, regularly auditing the code for malware, retain strong passwords and deploy the web supplies for malicious requests and prevent code injections.
