The two plug-ins, injectbody and injectscr, share similar functionalities and file structures, according to a Feb. 12 blog post from Sucuri, whose researchers found the threats on Feb. 8. Further analysis showed that attackers are adding the plugins after logging into website operators' WordPress dashboards using either rogue admin accounts or stolen credentials, and also that plug-in installation requests are primarily coming from random IP addresses and are probably automated.
In order to conceal their presence from everyone but the attackers, injectbody and injectscr both employ a function that removes them from a list of active plug-ins on the WordPress dashboard. “Only the attackers, who can log into WordPress using the malicious admin users INJECTBODY__ADMIN or INJECTSCR__ADMIN, or alternatively use legitimate admin credentials and append “?INJECTBODY__ADMIN=1” or “?INJECTSCR__ADMIN=1” GET parameters in the URL, are able to detect the presence of these malicious plugins on an infected website. explains blog post author and malware researcher Denis Sinegubko.
Sinegubko also reports that some websites infected with injectbody or injectscr were previously infected in January with a malware programmed to distribute spam email as well as create backdoors and file uploading scripts on the server.
In other WordPress news, Israeli security researcher Barak Tawily reported last week that a flaw in open source CMS WordPress could allow a malicious actor to take down a website with a single machine via a denial of service attack.