The trojan is remotely controlled by cybercriminals, allowing them to attack specified websites, switch to standby mode, shut itself down, and pause logging its actions. It primarily focuses on hacking WordPress-based websites and injecting malicious scripts into their webpages by using known vulnerabilities in plugins and themes. The trojan collects statistics on its attacks and reports back to the C&C (command and control) server.
Additionally, Doctor Web discovered an updated version of the trojan called Linux.BackDoor.WordPressExploit.2, which has some differences in C&C server address and the list of exploited vulnerabilities.
To protect against this threat, website owners are advised to keep their WordPress platform and all its components, including third-party add-ons and themes, up-to-date. Strong and unique logins and passwords should also be used for website accounts.
WordPress plugins vulnerable are unpatched version of:
- Brizy WordPress Plugin
- FV Flowplayer Video Player
- WordPress Coming Soon Page
- WordPress theme OneTone
- Simple Fields WordPress Plugin
- WordPress Delucks SEO plugin
- Poll, Survey, Form & Quiz Maker by OpinionStage
- Social Metrics Tracker
- WPeMatico RSS Feed Fetcher
- Rich Reviews plugin
Worry about insufficient IT security? Protect your corporate network with Dr Web Security Suite now.