GoKawiilHackers hijacked the update system for the Smart Slider 3 Pro plugin for WordPress and Joomla, and pushed a malicious version with multiple backdoors.
The developer says that only the Pro version 3.5.1.35 of the plugin is affected and recommends switching immediately to the latest version, currently 3.5.1.36, or 3.5.1.34 and earlier.
Apart from installing backdoors in multiple locations, the malicious update created a hidden user with administrator permissions and stole sensitive data.
Smart Slider 3 for WordPress is used on over 900,000 websites for responsive slider creation via a live slider editor, featuring a large selection of layouts and designs.
According to the vendor, the threat actor distributed the malicious update on April 7, and some websites may have installed it.
An analysis from PatchStack, a company focusing on securing WordPress and open-source software, notes that the malware is a fully featured, multi-layered toolkit embedded in the plugin’s main file while preserving Smart Slider's normal functionality.
The researchers noticed that the malicious kit allows a remote attacker to execute commands without authentication via crafted HTTP headers. It also includes a second authenticated backdoor with both PHP eval and OS command execution, and automated credential theft.
The malware achieves persistence through multiple layers, one being the creation of a hidden admin account and storing credentials in the database.
Creating a hidden admin account
Source: PatchStack
... continue reading