In the attacks, a list of 19 different plugins and themes with known security flaws are weaponized and used to launch an implant that can target a specific website in order to increase the network's reach.
"If sites use outdated versions of such add-ons, lacking crucial fixes, the targeted web pages are injected with malicious JavaScripts […] As a result, when users click on any area of an attacked page, they are redirected to other sites," says Russian security vendor Doctor Web, in a report published last week.
Additionally, Doctor Web says that it has identified a new version of the backdoor, that apparently uses a new command-and-control (C2) domain, along with an updated list of vulnerabilities over 11 additional plugins, taking this total to 30.
While it is still unclear if the second version is a remnant from the earlier version or a functionality that is yet to be enabled, both variants includes an unimplemented method for brute-forcing WordPress administrator accounts.
"If such an option is implemented in newer versions of the backdoor, cybercriminals will even be able to successfully attack some of those websites that use current plugin versions with patched vulnerabilities," the company said.
Moreover, WordPress users are advised to keep all the components of the platforms updated, along with third-party add-ons and themes. It is recommended to use robust and unique logins and passwords in order to protect their accounts.
