Certified Security Operations Center GmbH

13. March 2024

Cyber threat spotlight: The “Linux Backdoor WordPress Exploit 2” attack

In our latest security analysis, our command center has identified concerning activity relevant to businesses of all sizes: a malware attack specifically targeting WordPress websites, named “Linux.Backdoor.WordpressExploit.2”. As attacks of this nature pose a serious threat, we aim to provide not only the technical details of this attack but also practical recommendations to help you better protect your IT infrastructure.

Approach of the attackers

The malware discussed here infects WordPress-based websites, allowing attackers remote access to the compromised server. Once inside the system, the attacker can steal data, install additional malware, or utilize the server for further malicious activities.

A critical component of this malware is its connection to a Command-and-Control (C&C) server known as “lobbydesires.com”. Through DNS queries, the malware communicates with this domain to receive instructions and potentially transmit stolen data.

Developed for Linux operating systems, this Trojan targets WordPress websites by exploiting numerous known security vulnerabilities in outdated plugins and themes, capable of initiating up to 250 processes simultaneously. Following successful attacks, websites are infected with malicious JavaScript that redirects visitors to other sites. The Trojan communicates with a C&C server to execute various commands, including attacking specific websites, switching to standby mode, and halting its own logging. Additionally, it includes functionality for brute-force attacks on administrator accounts.

Our recommendations for action:

  • Monitor network traffic for requests to the suspicious domain “lobbydesires.com”. Such communication can indicate an infection.
  • Ensure all your WordPress installations are up to date. This includes updating WordPress itself, as well as themes and plugins.
  • Conduct regular security audits of your web servers. This involves scanning for malware and reviewing security configurations.
  • Educate your staff about cyber threats. They should be trained to recognize suspicious activities and report them accordingly.
  • Implement a robust backup strategy. In case of infection, backups allow for quicker system restoration.
  • Restrict access to your WordPress installations. Use strong, unique passwords and consider implementing two-factor authentication.

The threat posed by “Linux.Backdoor.WordpressExploit.2” is a stark reminder of the evolving nature of cybercrime. It is crucial for businesses to remain proactive, regularly review their security protocols, and adequately train their employees. By adhering to these essential recommendations, you can make a significant contribution to the security of your digital infrastructure.