The Stealthworker malware has been detected as the primary weapon used in a worldwide attack taking down WordPress sites. It is used by an unknown hacking group is using this virus to take down blogs using it. An analysis into how the infiltration strategy is planned reveals that the malware has been integrated into the infection plan.
The Stealthworker Malware Used Once Against WordPress
One of the newest large-scale attacks used against WordPress sites appears to be using the Stealthworker malware as the main weapon. An unknown hacking group is using the threat as part of their attack. The discovery was made as part of an ongoing honeypot capturing network. This particular virus is written in the Golang programming language and it can be used to launch brute force attacks against major web services and platforms including the following: cPanel/WHM, WordPress, Drupal, Joomla, OpenCart, Magento, MySQL, PostreSQL, Brixt, SSH and the FTP service. This malware can also be configured to look for administrator and backup login paths.
Through the honeypot operations the security researchers were able to detect how the malware has broken into the target systems. The victim test systems used a free Alternate Lite WordPress theme installed on the test blog. Using the brute force attacks the hackers were able to replace the customizer.php script using a file upload command.
When the hacker-made script is launched by the victims. The dangerous uploader script will connect the installation to a hacker-controlled VPS server from where a second script will be retrieved and run. It will download a binary executive which is the main engine of the malware. The first action that is run will be the checking of the server architecture — whether it is 32 or 64-bit. The next action will be to kill processes that contain the stealth string.
Also, Read 130M Attacks Try to Steal Database Credentials from 1.3M WordPress Sites
While the number of commands and malicious sequence is limited at this time we expect that the hackers will change it in the near future. It is very possible that the made attacks are simply test runs indicating that the malware is fully functional. The future releases can be updated to support the following actions:
- Additional Malware Code Delivery
- Information Theft
- Site Defacement
In order to stay safe always update your site installation along with any installed extra functionality such as themes and plugins.