Multiple WordPress Plugins Compromised: Hackers Create Rogue Admin Accounts
What specific actions does the injected malware perform on WordPress sites?
The injected malware creates a new administrative user account on the WordPress site and sends the account details back to the attacker-controlled server. Additionally, it injects malicious JavaScript into the footer of the website to add SEO spam throughout the site. The affected plugins have been removed from the WordPress plugin directory pending review, and users are advised to inspect their sites for suspicious administrator accounts and delete them, as well as remove any malicious code.
How does the malware communicate the stolen admin account details?
The malware injected into the WordPress plugins communicates stolen admin account details by sending them back to the attacker-controlled server. The account information is exfiltrated to the IP address 94.156.79[.]8.
To which IP address is the stolen account information sent?
The stolen account information is sent to the IP address 94.156.79[.]8.