Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.

Inside Stealthworker: How It Compromises WordPress, Step-by-Step

A new wave of attacks using old malware is threatening WordPress sites that don't have strong password policies.

(image by Sergey Lukianov, via Adobe Stock)

WordPress is, by a considerable margin, the most widely used content management system (CMS) in the world. It's no surprise, then, that it's also widely targeted by criminals looking for servers to exploit. And new research shows that a known threat - Stealthworker - is seeing new life in a campaign that includes not just WordPress, but most of the major CMS platforms and web application frameworks in common use.

In a blog post, Akamai senior research analyst Larry Cashdollar detailed how Stealthworker found one of his honeypots and settled in to take over the server. In the process, the malware gathered enough data to enable re-taking the server within an hour of a system wipe and rebuild, and showed just how widely a single strain of malware can spread across the Web's content infrastructure.

Inside Stealthworker

In an interview with Dark Reading, Cashdollar says that he first noticed an issue when traffic to and from a WordPress Docker instance in his lab saw a spike in traffic. The spike was a brute force WordPress login attack that was quickly successful against the simple admin password he had given the system.

"The first thing they did was upload a theme called 'Alternate Lite,'" Cashdollar says, pointing out that this is the name of a legitimate WordPress theme. Part of the theme is a PHP script called customizer.php - a script that the attacker replaced with an uploader of their own design.

The uploader brings back a file called "mwebp," written in GoLang and packed with UPX, that Cashdollar describes as a, "seven megabyte meatball of a binary," that installs itself, renames its process to "stealth" and then erases the downloaded evidence.

At this point, Cashdollar saw that the now-compromised WordPress instance was making many connections to other WordPress sites across the Internet, trying to log into each as a user using the same brute force techniques used on his honeypot.

Off to the C&C Server
Once the established malware is communicating with the C&C server, it's assigned a role. Cashdollar described the roles as scanning new targets to determine the software running on them, or launching brute force attacks on the targets.

The brute force attacks are not uninformed, he explains. Instead, servers doing reconnaissance on targets will crawl the sites looking for keywords, metadata, and other basic information to use in possible login and password combinations. These "seeds" increase the likelihood that a successful combination can be found.

And those combinations don't have to occur on a WordPress site. In picking the code apart, Cashdollar found code for brute force attempts on CMSes like Drupal and Joomla, ecommerce frameworks like Magento and OpenCart, and applications components like Postgres, MySQL, and PHP.

The goal in each of these cases is to recruit the infected server into a botnet that can be leased out for virtually any malicious purpose. Once a server is out of the owner's control, the criminal sky is the limit.

Straightforward Protection
Asked about the best way owners can protect their CMS installations from Stealthworker, Cashdollar doesn't hesitate: "Multi-factor authentication!" he says. Multifactor authentication will absolutely prevent Stealthworker from successfully attacking a CMS's authentication. If MFA is not possible, then strong passwords that don't use elements of the site's content as a component are the next-best option.

Related Content:








Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really   bad day" in cybersecurity. Click for more information and to register

About the Author(s)

Curtis Franklin, Principal Analyst, Omdia

Curtis Franklin Jr. is Principal Analyst at Omdia, focusing on enterprise security management. Previously, he was senior editor of Dark Reading, editor of Light Reading's Security Now, and executive editor, technology, at InformationWeek, where he was also executive producer of InformationWeek's online radio and podcast episodes

Curtis has been writing about technologies and products in computing and networking since the early 1980s. He has been on staff and contributed to technology-industry publications including BYTE, ComputerWorld, CEO, Enterprise Efficiency, ChannelWeb, Network Computing, InfoWorld, PCWorld, Dark Reading, and on subjects ranging from mobile enterprise computing to enterprise security and wireless networking.

Curtis is the author of thousands of articles, the co-author of five books, and has been a frequent speaker at computer and networking industry conferences across North America and Europe. His most recent books, Cloud Computing: Technologies and Strategies of the Ubiquitous Data Center, and Securing the Cloud: Security Strategies for the Ubiquitous Data Center, with co-author Brian Chee, are published by Taylor and Francis.

When he's not writing, Curtis is a painter, photographer, cook, and multi-instrumentalist musician. He is active in running, amateur radio (KG4GWA), the MakerFX maker space in Orlando, FL, and is a certified Florida Master Naturalist.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights