BleepingComputer reports that WordPress sites could be taken over by a new backdoor masquerading as a legitimate caching plugin.
Aside from enabling the creation of a "superadmin" user with admin-level permissions and eventual user removal to conceal infection, the plugin-spoofing malware also facilitated bot detection to monitor site traffic spikes and replacement of content, including posts, links, and buttons, in targeted websites, according to a report from Defiant, which is behind the Wordfence plugin for WordPress.
Attackers could also leverage the malware to allow remote plugin activation and deactivation, as well as remote invocation of other functions, researchers reported.
"Taken together, these features provide attackers with everything they need to remotely control and monetize a victim site, at the expense of the site's own SEO rankings and user privacy," said researchers.
The new backdoor's emergence has prompted Defiant to update its free Wordfence plugin to include a detection signature, as well as introduce a firewall rule for its Care, Premium, and Response offerings.
North Korea's Lazarus Group, also known as Diamond Sleet, has been leveraging a trojanized CyberLink app installer to facilitate the distribution of LambLoad malware in a new supply chain attack, according to SiliconAngle.
Threat actors have been targeting macOS devices with the Atomic Stealer information-stealing malware, also known as AMOS, through fraudulent web browser updates as part of the new "ClearFake" campaign, The Hacker News reports.
Threat actors have been distributing a new Agent Tesla malware variant in attacks leveraging a lure file with the ZPAQ file compression format with improved compression ratios and journaling functionality over the RAR and ZIP formats, according to The Hacker News.
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news