A cyber-criminal has hidden the code for a PHP backdoor inside the source code of a WordPress plugin masquerading as a security tool named “X-WP-SPAM-SHIELD-PRO.”
The attacker was obviously trying to leverage on the reputation of a legitimate and highly popular WordPress plugin called “WP-SpamShield Anti-Spam,” a popular anti-spam tool for self-hosted WordPress sites.
Instead, users who downloaded X-WP-SPAM-SHIELD-PRO got a nasty surprise in the form of a backdoor that allowed the attacker to create his own admin account on the site, upload files on the victim’s servers, disable all plugins, and more.
Security-focused plugin delivers nasty backdoor
All of the malicious behavior was spread across the fake plugin’s files. For example:
This latter file also includes code to allow the attacker to upload a ZIP archive on the victim’s site, unzip it, and then run the files within.
At the time security researchers found the malicious
A free remote access trojan builder kit that was recently observed in various cyber-crime forums secretly contains an injected backdoor module that allows the kit’s authors to take over the malware later, unbeknownst to the attackers wielding it.
According to ThreatLabZ researchers from Zscaler, the malware, dubbed Cobian RAT, is distributed via traditional spam campaigns or compromised websites, and is capable of recruiting affected machines into a malicious botnet. Upon infection, the malware can also log key strokes, take screen captures, record audio and webcam video, execute shell commands, install and uninstall programs, use dynamic plug-ins, and manage files via a file browser.
However, at any time, the original authors of the RAT builder kit can attack the attackers (aka second-level operators) by commandeering these features as well as all infected systems, using them for their own gains. This is accomplished via the