Categories
Security

Backdoor Uses Paste Site to Host Payload

Backdoor Uses Paste Site to Host Payload

Finding backdoors is one of the biggest challenges of a website security analyst, as backdoors are designed to be hidden in case the malware is found and removed.

Website Backdoors

A backdoor is a piece of malware that attackers leave behind to allow them access back into a website. Hackers like to inject code into different locations to increase their chances of retaining control of the website so they can reinfect it continuously.

Continue reading Backdoor Uses Paste Site to Host Payload at Sucuri Blog.

Categories
Security

Outdated Duplicator Plugin RCE Abused

Outdated Duplicator Plugin RCE Abused

We’re seeing an increase in the number of cases where attackers are disabling WordPress sites by removing or rewriting its wp-config.php file.

These cases are all linked to the same vulnerable software: WordPress Duplicator Plugin.

Versions lower than 1.2.42 of Snap Creek Duplicator plugin are vulnerable to a Remote Code Execution attack, where the malicious visitor is able to run any arbitrary code on the target site.

Continue reading Outdated Duplicator Plugin RCE Abused at Sucuri Blog.

Categories
Security

Fake Font Dropper

Fake Font Dropper

Every day we see different website infections. When we receive unusual or interesting cases, our researcher instincts are triggered to investigate the unusual website behavior in order to understand how new infections work. In this case, the odd behavior was the website’s pop-up window claiming there was a missing font.

The Unwanted Popup Window

A website owner reached out to us to investigate the error displaying on their site. The popup window informed the visitors that they were unable to view the content of the site because their computers were missing a font called “HoeflerText”:

The malware tries to trick visitors into clicking the “Update” button to download a malicious file called: Font_Update.exe

Earlier this year, we wrote about a wave of WordPress infections involving malicious plugins that inject obfuscated scripts, creating unwanted pop-up/pop-unders which serve unwanted ads.

Continue reading Fake Font Dropper at Sucuri Blog.

Categories
Security

Fake Plugins with Popuplink.js Redirect to Scam Sites

Fake Plugins with Popuplink.js Redirect to Scam Sites

Since July, we’ve been observing a massive WordPress infection that is responsible for unwanted redirects to scam and ad sites. This infection involves the tiny.cc URL shortener, a fake plugin that has been called either “index” or “wp_update”, and a malicious popuplink.js file.

Infected pages typically have these two scripts in the section of the page.

<script type='text/javascript' src='hxxps:///wp-content/plugins/index/popuplink.js?ver=4.9.7′>

Continue reading Fake Plugins with Popuplink.js Redirect to Scam Sites at Sucuri Blog.