WordPress plugins are typically used to provide webmasters with additional functionality for their websites. However, what they might not know is that some of these plugins may contain a hidden cryptocurrency mining exploit.
Researchers at website security and threat detection company Sucuri have detected several WordPress plugins that contain functions that are used to secretly mine cryptocurrency on affected machines.
Copy, Paste, Repeat
According to Sucuri researchers, these plugins take the guise of several popular WordPress plugins, cloning their features while adding functionality that allows the plugin to change permissions on the underlying server and execute Linux executable binary code using the eval function.
By doing this, the attacker is essentially able to secretly run code on the server, including a cryptocurrency miner binary file known as ‘Multios.Coinminer.Miner-6781728-2.’ Once the Multios crypto miner has been executed on the target system, it will then operate silently in the background, using up server resources to surreptitiously mine cryptocurrencies which are funneled back to the attacker.
By copying to code of popular pre-existing plugins and combining it with an already known crypto mining binary, the attacker is able to cover much more ground, producing potentially endless combinations of infected plugins and exploits. Because of this, infected machines could be used for much more than just cryptocurrency mining, such as mail spamming, DDoS and brute-force attacks.
Sucuri also found that this particular malicious plugin is a copy of version 1.16.16 of UpdraftPlus, a WordPress plugin used to simplify backups and restorations. Two commonly detected variants of the malicious plugin are known as ‘initiatorseo’ or ‘updrat123’.
Unfortunately, simply removing the plugin typically does not resolve the attack, since only the original plugin installation files will be removed, leaving the nefarious binary code untouched. Instead, webmasters will need to ensure they perform regular server-side security scans to detect any unauthorized code and maintain proper control over access permissions.
WordPress users should ensure that they are running a capable web application firewall on their server, or can use Sucuri’s own ‘Sucuri Scanner’ WordPress plugin to help maintain the integrity of their server.
This now adds WordPress to the growing list of platforms that have been targeted by malicious parties looking to steal resources for the purposes of mining cryptocurrencies. Just days ago, BeInCrypto also reported that hackers have now turned to exploiting WAV files for deploying cryptojacking code—is there nowhere safe?
What do you think is the best way to deal with the rise in cryptojacking attempts? Let us know your thoughts in the comments below.
Images are courtesy of Shutterstock.