A cyber-criminal has hidden the code for a PHP backdoor inside the source code of a WordPress plugin masquerading as a security tool named “X-WP-SPAM-SHIELD-PRO.”
The attacker was obviously trying to leverage on the reputation of a legitimate and highly popular WordPress plugin called “WP-SpamShield Anti-Spam,” a popular anti-spam tool for self-hosted WordPress sites.
Instead, users who downloaded X-WP-SPAM-SHIELD-PRO got a nasty surprise in the form of a backdoor that allowed the attacker to create his own admin account on the site, upload files on the victim’s servers, disable all plugins, and more.
Security-focused plugin delivers nasty backdoor
All of the malicious behavior was spread across the fake plugin’s files. For example:
class-term-metabox-formatter.php – sends the user’s WordPress version to the attacker.
class-admin-user-profile.php – sends a list of all WordPress admin users to the attacker.
plugin-header.php – adds an additional admin user named mw01main.
wp-spam-shield-pro.php – pings the hacker’s server located at mainwall.org, letting the attacker know when a new user installed the fake plugin. The data this file sends over includes user, password, infected site URL, and server IP address.
This latter file also includes code to allow the attacker to upload a ZIP archive on the victim’s site, unzip it, and then run the files within.
At the time security researchers found the malicious plugin, the ZIP file offered for download was corrupted, but experts believe the attacker was deploying a tainted version of the well-known All In One SEO Pack WordPress plugin.
Be careful what you’re installing on your WP site
According to Sucuri, the cyber-security company that discovered X-WP-SPAM-SHIELD-PRO, the plugin never made it on the official WordPress Plugins repository, being made available through other sources.
Overall, the plugin lures users worrying about their site’s security, but in reality, it’s their downfall.
Just like with the Google Play Store, the Apple App Store, and other official stores, WordPress users are advised to install free plugins from the official plugin repository only. While the WordPress Plugins repository and its admins are far from perfect, the plugins offered for download are usually patrolled by the community, who often detects and reports most of these threats in time.[“Source-bleepingcomputer”]