163/68 Friday, May 2, 2025
Security researchers from Wordfence have uncovered a new type of malware targeting WordPress websites by disguising itself as a legitimate anti-malware plugin. The malware often uses deceptive filenames such as WP-antymalwary-bot[.]php or addons[.]php, allowing it to remotely control infected sites. It remains hidden from the WordPress admin dashboard and injects malicious JavaScript code to display unauthorized advertisements to site visitors.
Technical analysis reveals that the malware uses multiple persistence mechanisms, including a modified version of the wp-cron[.]php file that can reinstall the malware even if the plugin is deleted. It also leverages the emergency_login parameter to allow attackers to log in with a secret password and uses the REST API to execute remote PHP code. Furthermore, it employs a hide_plugin_from_list function to conceal itself from backend plugin listings. The malware communicates with a remote command-and-control (C&C) server and injects ads by fetching code from a foreign-hosted ads[.]php file.
Wordfence first detected the malware on January 22, 2025, during a site cleanup for a client and promptly released malware detection signatures, which remain effective even as new variants have emerged. A firewall rule to block this threat was issued on April 23, 2025, for premium users, with free users scheduled to receive protection starting May 23, 2025. Wordfence urges site administrators to regularly audit installed plugins, use reputable security tools, and keep systems updated to defend against increasingly sophisticated attacks like this one.
Source https://hackread.com/wordpress-malware-disguised-as-anti-malware-plugin/
