FISA

Source: The Hacker News Imagine installing a plugin that promises to protect your WordPress site, only to find out later that it left the door wide open for attackers. That’s exactly what’s been happening in a recent malware campaign where a fake WordPress security plugin is acting more like a saboteur than a shield. Researchers have uncovered a plugin going by the name wp-antymalwary-bot.php , posing as a security solution while silently handing over admin access to threat actors. Once installed, it injects a stealthy backdoor into the site, letting attackers execute remote commands and manipulate content without raising any red flags. It’s a slick operation. Nothing shows up in the admin panel, and the plugin re-installs itself even after deletion, using a tampered wp-cron.php file as its anchor. Under the Hood T he attackers aren’t just brute-forcing their way in, they’ve baked persistence into the plugin itself. Once active, the malware uses a function called emergency_login_all_a...

A new malware campaign is leveraging a high-severity security flaw in the Popup Builder plugin for WordPress to inject malicious JavaScript code. According to Sucuri, the campaign has  infected more than 3,900 sites  over the past three weeks. "These attacks are orchestrated from domains less than a month old, with registrations dating back to February 12th, 2024," security researcher Puja Srivastava  said  in a report dated March 7. Infection sequences involve the exploitation of CVE-2023-6000, a security vulnerability in Popup Builder that could be exploited to create rogue admin users and install arbitrary plugins. The shortcoming was exploited as part of a  Balada Injector campaign  earlier this January, compromising no less than 7,000 sites. The latest set of attacks lead to the injection of malicious code, which comes in two different variants and is designed to redirect site visitors to other sites such as phishing and scam pages. WordPress site owne...