For cybercriminals, gaining access to legitimate websites to corrupt and exploit them for their own purposes is a top priority. In this sense, the team of Patchstack has identified a rather cunning malware campaign that is targeting the well-known CMS WordPress.
We are talking about an operation that leverages the fear of site administrators, terrorizing them with an email that communicates how the site is the victim of a phantom vulnerability Remote Code Execution (RCE) classified as CVE-2023-45124. Cybercriminals therefore push the user to immediately use a supposed patch created by the WordPress theme to fix the exploit.
All this is nothing more than a fabrication: the plugin proposed to protect the site from vulnerability is nothing more than a malware which itself affects the integrity of WordPress.
The mysterious patch for WordPress turns out to be a fearsome backdoor
The link shared via the email leads to a supposed plugin, with a site phishing which looks very similar to the original WordPress.org for graphics. As usual in these cases, there is no shortage of fake reviews to praise the extension and further push the user towards downloading and installing it.
According to what emerged from Patchstack’s studies, the campaign exploits prominent figures in the WordPress ecosystem, including developers of a certain importance, to increase the credibility of the malicious plugin.
Once the add-on is installed, it downloads onto the space available on a site ZIP archive. When this happens, the malware tends to reassure the administrator with the message “CVE-2023-45124 has been patched successfully” (i.e. CVE-2023-45124 has been successfully patched). The user is then encouraged to share the patch among other admins he knows.
Once activated, the malware tends to take over the site, hiding itself and the administrator account, all thanks to obtaining elevated privileges. Once the infection has occurred, the malicious agent creates a backdoor which, most likely, will be used by cybercriminals for various purposes in the future. According to researchers, there is talk of abuse like forced insertion of advertisementsin the luckiest case, up to database theft (and subsequent extortion) or similar actions.
It should be remembered to anyone who uses this CMS as WordPress never asks to install patches via email. In case of need, in fact, the developers simply propose one new version of the platformwithout the need to disseminate links via email.