Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Backdoored Captcha Plugin Hits 300,000 WordPress Sites

Yet another plugin was removed from the WordPress repository afte

Yet another plugin was removed from the WordPress repository after a backdoor was added to it following a recent update.

Called “Captcha” and featuring 300,000 active installs at the time it was removed, the plugin was found to have changed ownership several months ago. Initially developed and maintained by BestWebSoft, it was owned by an unnamed developer at the time the backdoor was added.

Through an update on December 4, code designed to trigger an automatic update process and download a ZIP file from the simplywordpress[dot]net domain was added to the plugin. The archive would extract and install itself over the copy of the Captcha plugin already running on site.

Inside the ZIP archive, a file called plugin-update.php, which was found to be the backdoor, was included, in addition to small changes to the plugin itself. The file would grant the author unauthorized administrative access to the WordPress websites using the plugin.

The backdoor was designed to create a session with user ID 1 (the default admin user WordPress creates at install), to set authentication cookies, and delete itself. Because the backdoor’s installation code was unauthenticated, anyone could trigger it, Wordfence reports.

The ZIP file also included an update to the URL using the same process that installed the backdoor, only this time to remove all traces of the malicious code.

The simplywordpress[.]net domain hosting the ZIP file is registered to a Stacy Wellington ([email protected]), who apparently has registered a large number of other domains as well. One of the domains is unsecuredloans4u[.]co[.]uk, which is linked to Mason Soiza, an individual previously associated with similarly backdoored WordPress plugins.

“[Soiza] has a long history of buying WordPress plugins in order to place cloaked backlinks on his users’ sites. He then uses these backlinks to increase page rank in SERPs (Search Engine Results Pages) since only web crawlers such as Googlebot can read them,” Wordfence explains.

Advertisement. Scroll to continue reading.

The individual buys plugins and, after a few months, adds the backdoor code to them to create cloaked backlinks to its own loan sites and boost site rankings for different search terms.

simplywordpress[.]net also includes the backdoored plugins Covert me Popup, Death To Comments, Human Captcha, Smart Recaptcha, and Social Exchange.

Looking at the website’s DNS history, Wordfence discovered a previous A-record of 195.154.179.176, which is the current A-record for unsecuredloans4u[.]co[.]uk, Mason Soiza’s domain. The same IP address is also used to host pingloans[.]co[.]uk, a site registered to Serpable Ltd, which is owned by a Charlotte Ann Wellington.

By digging deeper, Wordfence also discovered that both Wellingtons and Mason Soiza are linked to a Quint Group Limited. Stacy Wellington mentions working for Serpable, which is (or was previously) an SEO company and also “is an Introducer Appointed Representative of Quint Group Limited.”

“However, at this time, it’s unclear if either Charlotte or Stacy Wellington is the creator of the backdoor code we discovered in the Captcha plugin,” Wordfence notes.

Given the strong correlation between Stacy Wellington, simplywordpress[.]net, and heyrank[.]co[.]uk (another domain hosted on 195.154.179.176 and registered to the individual), the researchers suggest that wpdevmgr2678, the new owner of the Captcha plugin, could be Stacy Wellington.

Wordfence and the WordPress.org plugins team released a patched version of Captcha (v4.4.5) that no longer includes the backdoor. The automatic update mechanism was used to upgrade all backdoored versions (4.3.6 – 4.4.4) up to the new one and over 100,000 sites running versions the backdoored iterations were upgraded over the weekend.

Related: Backdoored Plugin Impacts 200,000 WordPress Sites

Related: Backdoor Masquerades as Popular WordPress Plugin

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.