Stealthworker Malware Used To Hijack WordPress Sites

by   |  Last Update:  |  0 Comments  

On This Page: [hide]

  1. The Stealthworker Malware Used Once Against WordPress

Stealthworker Malware Used To Hijack WordPress Sites article image

The Stealthworker malware has been detected as the primary weapon used in a worldwide attack taking down WordPress sites. It is used by an unknown hacking group is using this virus to take down blogs using it. An analysis of how the infiltration strategy is planned reveals that the malware has been integrated into the infection plan.

The Stealthworker Malware Used Once Against WordPress

One of the newest large-scale attacks used against WordPress sites appears to be using the Stealthworker malware as the main weapon. An unknown hacking group is using the threat as part of their attack. The discovery was made as part of an ongoing honeypot capturing network. This particular virus is written in the Golang programming language and it can be used to launch brute force attacks against major web services and platforms including the following: cPanel/WHM, WordPress, Drupal, Joomla, OpenCart, Magento, MySQL, PostreSQL, Brixt, SSH and the FTP service. This malware can also be configured to look for administrator and backup login paths.

Through the honeypot operations, the security researchers were able to detect how the malware has broken into the target systems. The victim test systems used a free Alternate Lite WordPress theme installed on the test blog. Using the brute force attacks the hackers were able to replace the customizer.php script using a file upload command.

When the hacker-made script is launched by the victims. The dangerous uploader script will connect the installation to a hacker-controlled VPS server from where a second script will be retrieved and run. It will download a binary executive which is the main engine of the malware. The first action that is run will be the checking of the server architecture — whether it is 32 or 64-bit. The next action will be to kill processes that contain the stealth string.

Also, Read 130M Attacks Try to Steal Database Credentials from 1.3M WordPress Sites

While the number of commands and malicious sequence is limited at this time we expect that the hackers will change it in the near future. It is very possible that the made attacks are simply test runs indicating that the malware is fully functional. The future releases can be updated to support the following actions:

  • Additional Malware Code Delivery
  • Information Theft
  • Sabotage
  • Site Defacement

In order to stay safe always update your site installation along with any installed extra functionality such as themes and plugins.

Researched and written by:
HowToHosting Editors
HowToHosting.guide provides expertise and insight into the process of creating blogs and websites, finding the right hosting provider, and everything that comes in-between. Read more...

No related posts.

Leave a Comment

Your email address will not be published. Required fields are marked *

This website uses cookies to improve user experience. By using our website you consent to all cookies in accordance with our Privacy Policy.
I Agree
At HowToHosting.Guide, we offer transparent web hosting reviews, ensuring independence from external influences. Our evaluations are unbiased as we apply strict and consistent standards to all reviews.
While we may earn affiliate commissions from some of the companies featured, these commissions do not compromise the integrity of our reviews or influence our rankings.
The affiliate earnings contribute to covering account acquisition, testing expenses, maintenance, and development of our website and internal systems.
Trust howtohosting.guide for reliable hosting insights and sincerity.