Malicious hackers have been caught hiding their WordPress malware in the ‘mu-plugins’ directory to evade routine security checks, according to a warning issued by Sucuri.
The mu-plugins, short for Must-Use plugins, are automatically loaded on every page, do not require activation, and do not appear in the standard WordPress plugin interface. This makes the directory an appealing target for threat actors already seen abusing it for stealth infections.
In February, Sucuri warned of suspicious index.php and test-mu-plugin.php files in the mu-plugins directory that contained code to execute additional payloads, resulting in backdoors being deployed on the infected sites.
Now, the company said it has found more malware hidden in the same directory, designed to redirect site visitors to external, malicious pages; to create a web shell for command execution, providing attackers with control over the website; and to inject spam content into the website.
The files, named redirect.php, index.php, and custom-js-loader.php, mimic legitimate WordPress functions. However, the site’s unusual behavior and the presence of new files in the mu-plugins directory should trigger suspicion, Sucuri said.
“Website administrators may also notice elevated server resource usage with no clear explanation, along with unexpected file modifications or the inclusion of unauthorized code in critical directories,” the company added.
The script hidden within redirect.php executes based on whether the visitor is an administrator, a bot, or a regular user, displaying a fake browser or system update to trick the user into executing malicious code that can inject backdoors and other malware, or steal the visitor’s data.
Within the index.php file, the attackers hid a function to fetch and execute a PHP script from a remote location. The attackers, Sucuri warned, can modify the remote payload to dynamically inject new malware into the infected site.
The injection of a web shell into the compromised website, the security firm explains, provides the threat actors with remote control over the site, allowing them to execute commands, upload files, steal data, and mount other types of attacks.
The third identified malware uses JavaScript injection to replace images and modify links on the infected site, and intercept clicks to display malicious popups instead of directing the users to the intended destination.
“The ultimate goal behind these infections appears to be a mix of monetization and persistence. Each of these techniques benefits the attacker financially while keeping their payload hidden,” Sucuri said, noting that the websites might have been infected through vulnerable plugins or themes, compromised credentials, or the abuse of weak file permissions or outdated server configurations.
Related: 8,000 New WordPress Vulnerabilities Reported in 2024
Related: Hunk Companion, WP Query Console Flaws Chained to Hack WordPress Sites
Related: Critical Flaws Found in Popular Anti-Spam WordPress Plugin
Related: Critical Plugin Flaw Exposed 4 Million WordPress Websites to Takeover
