Cybersecurity In-Depth

The Edge

Inside Stealthworker: How It Compromises WordPress, Step-by-Step

A new wave of attacks using old malware is threatening WordPress sites that don't have strong password policies.

WordPress is, by a considerable margin, the most widely used content management system (CMS) in the world. It's no surprise, then, that it's also widely targeted by criminals looking for servers to exploit. And new research shows that a known threat - Stealthworker - is seeing new life in a campaign that includes not just WordPress, but most of the major CMS platforms and web application frameworks in common use.

In a blog post, Akamai senior research analyst Larry Cashdollar detailed how Stealthworker found one of his honeypots and settled in to take over the server. In the process, the malware gathered enough data to enable re-taking the server within an hour of a system wipe and rebuild, and showed just how widely a single strain of malware can spread across the Web's content infrastructure.

Inside Stealthworker

In an interview with Dark Reading, Cashdollar says that he first noticed an issue when traffic to and from a WordPress Docker instance in his lab saw a spike in traffic. The spike was a brute force WordPress login attack that was quickly successful against the simple admin password he had given the system.

"The first thing they did was upload a theme called 'Alternate Lite,'" Cashdollar says, pointing out that this is the name of a legitimate WordPress theme. Part of the theme is a PHP script called customizer.php - a script that the attacker replaced with an uploader of their own design.

The uploader brings back a file called "mwebp," written in GoLang and packed with UPX, that Cashdollar describes as a, "seven megabyte meatball of a binary," that installs itself, renames its process to "stealth" and then erases the downloaded evidence.

At this point, Cashdollar saw that the now-compromised WordPress instance was making many connections to other WordPress sites across the Internet, trying to log into each as a user using the same brute force techniques used on his honeypot.

Off to the C&C Server
Once the established malware is communicating with the C&C server, it's assigned a role. Cashdollar described the roles as scanning new targets to determine the software running on them, or launching brute force attacks on the targets.

The brute force attacks are not uninformed, he explains. Instead, servers doing reconnaissance on targets will crawl the sites looking for keywords, metadata, and other basic information to use in possible login and password combinations. These "seeds" increase the likelihood that a successful combination can be found.

And those combinations don't have to occur on a WordPress site. In picking the code apart, Cashdollar found code for brute force attempts on CMSes like Drupal and Joomla, ecommerce frameworks like Magento and OpenCart, and applications components like Postgres, MySQL, and PHP.

The goal in each of these cases is to recruit the infected server into a botnet that can be leased out for virtually any malicious purpose. Once a server is out of the owner's control, the criminal sky is the limit.

Straightforward Protection
Asked about the best way owners can protect their CMS installations from Stealthworker, Cashdollar doesn't hesitate: "Multi-factor authentication!" he says. Multifactor authentication will absolutely prevent Stealthworker from successfully attacking a CMS's authentication. If MFA is not possible, then strong passwords that don't use elements of the site's content as a component are the next-best option.

Related Content:


Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really   bad day" in cybersecurity. Click for more information and to register