New WP-antimalwary-bot.php Malware Threatens WordPress Sites
A new and dangerous malware variant, 'WP-antimalwary-bot.php', has been discovered, posing a significant threat to WordPress sites. Disguised as a legitimate plugin, it provides attackers persistent access and can serve remote advertisements to visitors.
The malware, found by an unidentified security firm on 22 January 2025, includes backdoor functions like 'emergency_login_all_admins' for unauthorized admin access and 'execute_admin_command' for PHP code injection. Recent variants exhibit increased sophistication, dynamically updating ad-serving URLs. It communicates with a command-and-control server in Cyprus, pinging it every minute with the infected site's URL and timestamp. The malware is resilient, reinstalling itself if deleted, using a modified wp-cron.php file and a self-replicating mechanism.
To prevent infection, site administrators should regularly audit plugins and themes, remove unused files, and monitor for unauthorized changes. Improving site resilience involves ensuring file integrity, disabling direct file editing, using strong admin credentials and MFA, and having routine backups and a reliable security plugin or firewall. Indicators of compromise include unexpected GET requests, modified wp-cron.php files, header.php file injections, and JavaScript ads via base64-decoded URLs.
The 'WP-antimalwary-bot.php' malware is a serious threat to WordPress sites, providing attackers persistent access and serving remote advertisements. Site administrators must remain vigilant, implementing robust security measures and regularly monitoring their sites for signs of compromise.
