Over 5,000 WordPress Sites Infected in WP3.XYZ Malware Attack

A widespread malware campaign has been uncovered, targeting over 5,000 WordPress websites globally. The campaign, traced back to the malicious domain https://wp3[.]xyz, has been actively exploiting vulnerabilities in WordPress websites to create unauthorized admin accounts, deploy malicious plugins, and exfiltrate sensitive data, according to a report by Himanshu Anand, a security researcher at c/side, a cybersecurity firm.

The attack utilizes a script hosted on the domain https://wp3[.]xyz/td.js to infiltrate WordPress sites. The script fetches a Cross-Site Request Forgery (CSRF) token to create an admin user account with hardcoded credentials:

• Username: wpx_admin
• Password: [REDACTED]

Once the malicious admin account is created, the script installs a plugin downloaded from https://wp3.xyz/plugin[.]php. This plugin activates itself and communicates with a command-and-control (C2) server, exfiltrating data such as admin credentials and operation logs via obfuscated image requests.

“WP3.XYZ is a malicious domain used for exfiltrating sensitive data, including admin credentials and operation statuses, while serving as a source for downloading malicious WordPress plugins to compromise targeted websites,” Anand explains in the report.

The attack unfolds in a structured sequence:

1. Admin Account Creation: The script automates user creation using the CSRF token obtained from the WordPress admin panel. It sends a POST request to set up the wpx_admin account, logging the operation’s status.
       const formData = new FormData();
       formData.append('_wpnonce_create-user', csrfToken);
       formData.append('user_login', 'wpx_admin');
       formData.append('pass1', '[REDACTED BY C/SIDE]');
       formData.append('pass2', '[REDACTED BY C/SIDE]');
       formData.append('role', 'administrator');
2. Malicious Plugin Installation: The script fetches the plugin installation page, retrieves another CSRF token, and uploads the plugin fetched from the remote server. It then activates the plugin to begin its operations.
3. Data Exfiltration: Sensitive information is sent to https://wp3.xyz/tdw1[.]php using an image-based logging mechanism. This clever technique avoids raising alarms in standard security tools.
4. Verification: The script performs a final check to ensure the malicious payload is successfully installed by scanning for references to wp3.xyz within the infected website.

To identify compromised sites, c/side recommends using tools like PublicWWW and URLScan. Site owners are urged to take immediate steps to protect their platforms:

1. Block the Domain: Use firewalls or security tools to block access to https://wp3[.]xyz.
2. Audit Admin Accounts: Check for unauthorized users such as wpx_admin.
3. Remove Malicious Plugins: Disable and delete any suspicious plugins.
4. Enhance Security Measures:
   • Strengthen CSRF protections.
   • Implement Multi-Factor Authentication (MFA).

“Check your site now to remove any unauthorized admin accounts and remove any unused plugins or themes” the report emphasizes.

Related Posts:

• WordPress Issues Urgent Security Update to Patch Multiple Vulnerabilities