The injected malware creates a new administrative user account on the WordPress site and sends the account details back to the attacker-controlled server. Additionally, it injects malicious JavaScript into the footer of the website to add SEO spam throughout the site. The affected plugins have been removed from the WordPress plugin directory pending review, and users are advised to inspect their sites for suspicious administrator accounts and delete them, as well as remove any malicious code.
The malware injected into the WordPress plugins communicates stolen admin account details by sending them back to the attacker-controlled server. The account information is exfiltrated to the IP address 94.156.79[.]8.
The stolen account information is sent to the IP address 94.156.79[.]8.