Threat actors have been observed leveraging a legitimate but outdated WordPress plugin to surreptitiously backdoor websites as part of an ongoing campaign, Sucuri revealed in a report published last week.
The plugin in question is Eval PHP, released by a developer named flashpixx. It allows users to insert PHP code pages and posts of WordPress sites that are then executed every time the posts are opened in a web browser.
While Eval PHP has never received an update in 11 years, statistics gathered by WordPress show that it’s installed on over 8,000 websites, with the number of downloads skyrocketing from one or two on average since September 2022 to 6,988 on March 30, 2023.
On April 23, 2023, alone, it was downloaded 2,140 times. The plugin has racked up 23,110 downloads over the past seven days.
GoDaddy-owned Sucuri said it observed some infected websites’ databases injected with malicious code into the “wp_posts” table, which stores a site’s posts, pages, and navigation menu information. The requests originate from three different IP addresses based in Russia.
“This code is quite simple: It uses the file_put_contents function to create a PHP script into the docroot of the website with the specified remote code execution backdoor,” security researcher Ben Martin said.
“Although the injection in question does drop a conventional backdoor into the file structure, the combination of a legitimate plugin and a backdoor dropper in a WordPress post allows them to easily reinfect the website and stay hidden. All the attacker needs to do is to visit one of the infected posts or pages and the backdoor will be injected into the file structure.”
Sucuri said it detected over 6,000 instances of this backdoor on compromised websites in the last 6 months, describing the pattern of inserting the malware directly into the database as a “new and interesting development.”
The attack chain entails installing the Eval PHP plugin on compromised sites and misusing it to establish persistent backdoors across multiple posts that are sometimes also saved as drafts.
“The way the Eval PHP plugin works it’s enough to save a page as a draft in order to execute the PHP code inside the [evalphp] shortcodes,” Martin explained, adding the rogue pages are created with a real site administrator as their author, suggesting the attackers were able to successfully sign in as a privileged user.
The development once again points to how malicious actors are experimenting with different methods to maintain their foothold in compromised environments and evade server-side scans and file integrity monitoring.
Site owners are advised to secure the WP Admin dashboard as well as watch out for any suspicious logins to prevent threat actors from gaining admin access and install the outdated WordPress plugin.