Malicious WordPress Plugin Creates Hidden Admin Backdoor Leveraging Legitimate Plugin Elements

• Malicious WordPress plugins were seen leveraging hidden WordPress administrator accounts to create backdoors.
• These masqueraded as valid tools, replicating legitimate plugin elements to avoid detection.
• Attackers included outdated WordPress functions to help it work across various site versions.

A case where a fake plugin, named php-ini.php, was used to create a backdoor via a hidden admin user account came to light in a recent malware investigation by Sucuri, presented in a new report.

The attackers exploited a single-file plugin disguised as a valid tool, copying elements from legitimate plugins to evade detection. They employed a core WordPress hook, add_action(), to conditionally execute their malicious code. 

When called through a specific URL parameter, this plugin created an administrator account, granting attackers full access to the impacted site.

Interestingly, the attackers included outdated WordPress functions to maximize compatibility across various versions of sites. 

Despite the severity of potential damage, the execution was careless, with obvious naming errors and lack of measures to conceal the plugin further, indicating a relatively unsophisticated attempt.

Spotting the malware required analyzing the suspicious plugin file and identifying the hidden user. Removing the compromised plugin and deleting the admin account resolved the issue in this case. 

However, its presence raised questions about whether the plugin was uploaded via compromised FTP/sFTP credentials or admin-level WordPress access.

To safeguard against these types of attacks, administrators are advised to monitor plugin installations, strengthen access controls, review admin accounts, and utilize a firewall.