Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Edge Articles

6/12/2020
10:55 AM
Curtis Franklin Jr.
Curtis Franklin Jr.
Edge Articles
50%
50%

Inside Stealthworker: How It Compromises WordPress, Step-by-Step

A new wave of attacks using old malware is threatening WordPress sites that don't have strong password policies.

WordPress is, by a considerable margin, the most widely used content management system (CMS) in the world. It's no surprise, then, that it's also widely targeted by criminals looking for servers to exploit. And new research shows that a known threat - Stealthworker - is seeing new life in a campaign that includes not just WordPress, but most of the major CMS platforms and web application frameworks in common use.

In a blog post, Akamai senior research analyst Larry Cashdollar detailed how Stealthworker found one of his honeypots and settled in to take over the server. In the process, the malware gathered enough data to enable re-taking the server within an hour of a system wipe and rebuild, and showed just how widely a single strain of malware can spread across the Web's content infrastructure.

Inside Stealthworker

In an interview with Dark Reading, Cashdollar says that he first noticed an issue when traffic to and from a WordPress Docker instance in his lab saw a spike in traffic. The spike was a brute force WordPress login attack that was quickly successful against the simple admin password he had given the system.

"The first thing they did was upload a theme called 'Alternate Lite,'" Cashdollar says, pointing out that this is the name of a legitimate WordPress theme. Part of the theme is a PHP script called customizer.php - a script that the attacker replaced with an uploader of their own design.

The uploader brings back a file called "mwebp," written in GoLang and packed with UPX, that Cashdollar describes as a, "seven megabyte meatball of a binary," that installs itself, renames its process to "stealth" and then erases the downloaded evidence.

At this point, Cashdollar saw that the now-compromised WordPress instance was making many connections to other WordPress sites across the Internet, trying to log into each as a user using the same brute force techniques used on his honeypot.

Off to the C&C Server
Once the established malware is communicating with the C&C server, it's assigned a role. Cashdollar described the roles as scanning new targets to determine the software running on them, or launching brute force attacks on the targets.

The brute force attacks are not uninformed, he explains. Instead, servers doing reconnaissance on targets will crawl the sites looking for keywords, metadata, and other basic information to use in possible login and password combinations. These "seeds" increase the likelihood that a successful combination can be found.

And those combinations don't have to occur on a WordPress site. In picking the code apart, Cashdollar found code for brute force attempts on CMSes like Drupal and Joomla, ecommerce frameworks like Magento and OpenCart, and applications components like Postgres, MySQL, and PHP.

The goal in each of these cases is to recruit the infected server into a botnet that can be leased out for virtually any malicious purpose. Once a server is out of the owner's control, the criminal sky is the limit.

Straightforward Protection
Asked about the best way owners can protect their CMS installations from Stealthworker, Cashdollar doesn't hesitate: "Multi-factor authentication!" he says. Multifactor authentication will absolutely prevent Stealthworker from successfully attacking a CMS's authentication. If MFA is not possible, then strong passwords that don't use elements of the site's content as a component are the next-best option.

Related Content:

 

 
 
 
 
 
 
Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really   bad day" in cybersecurity. Click for more information and to register
Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
scube-ergo
50%
50%
scube-ergo,
User Rank: Apprentice
7/13/2020 | 6:30:49 AM
REALLY HEPFULL
Thank for such wonderful post
   OVER THE EDGE
Building Cybersecurity Strategies in Sub-Saharan Africa

Filmed for Dark Reading News Desk at Black Hat Virtual.

LAURA TICH: We have that imbalance, where the big organizations are more protected, where the smaller ones -- which are the most common businesses in the region -- they are least protected... Sometimes they do get the tools, they do get the funding to buy some critical tools, but there's a lack of skills to handle or people who understand how to work those tools. So there are a lot of factors that contribute to our growth -- or lack thereof -- in the cybersecurity industry.

 

Name That Toon: Tough Times, Tough Measures
Latest Comment: Wear a mask, please!
Flash Poll